| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Apr 2013 09:05:51 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Dave Jones <davej@...hat.com>, David Miller <davem@...emloft.net> Cc: netdev@...r.kernel.org Subject: Re: oops in udpv6_sendmsg On Wed, 2013-04-17 at 07:27 -0700, Eric Dumazet wrote: > On Wed, 2013-04-17 at 10:11 -0400, Dave Jones wrote: > > On Tue, Apr 16, 2013 at 07:02:12PM -0700, Eric Dumazet wrote: > > > good news is that with some changes, I was able to make current > > trinity reproduce this in seconds rather than hours.. > > > > ./trinity -q -l off -n -c sendmsg -c connect > > > > on current tree seems to reliably trigger it for me. > > Good new indeed, I got a crash in 2 seconds > > (have to reproduce it because I lost the console output) > > Hmm, sk_dst_get() assumes dst are always freed after RCU grace period, but it seems not the case with IPv6. We should atomically set dst->__refcnt to -1 before RCU grace period and final destruction, then sk_dst_get should do something like : rcu_read_lock(); dst = rcu_dereference(sk->sk_dst_cache); if (dst && !atomic_add_unless(&dst->__refcnt, 1, -1)) dst = NULL; rcu_read_unlock(); Ie we should not increment dst->__refcnt if the dst is in dismantle phase. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists