lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 22 Apr 2014 16:35:59 -0400
From:	Jon Maloy <jon.maloy@...csson.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	Erik Hugne <erik.hugne@...csson.com>, <netdev@...r.kernel.org>
Subject: Re: skb_try_coalesce bug?

On 04/22/2014 04:05 PM, Eric Dumazet wrote:
> On Tue, 2014-04-22 at 15:38 -0400, Jon Maloy wrote:
> 
>>
>> In the case I encountered, our head buffer is linear (skb->data_len == 0),
>> so it is the real tailroom value that is returned. An alas, that one is big
>> enough to contain the last (small) fragment of the message.
> 
> 
> Whole point of skb_try_coalesce() is to coalesce as much as possible,
> without guarantee of keeping some sort of 'segments'
> 
> skb_try_coalesce - try to merge skb to prior one
> 
> If you do not want this to happen, (you seem to want nothing else in
> your head buffer skb->head), you need to add some logic.

Ok. I should have given a little background.

1: We send a message of 3041 bytes, inclusive TIPC header, via loopback interface.

2: This one gets chopped up in three fragments: 1420, 1420,and 201 bytes.
   (The mtu was of course wrong, but this is how I discovered the problem).

3: First fragment is received, uncloned, and serves as head.

4;  Second fragment (a clone) is received. skb_try_coalesce() fails at
    the skb_head_is_locked() test, because the buffer is a clone.
    Because of this, we add the buffer to skb_shinfo(head)->frag_list
    instead.

5: Third fragment (also a clone) is received. Now, since we check for
   space in tailroom of header before we do anything else, it slips
   in there, and bypasses the already chained-up second segment.

Regards
///jon


> 
> A helper temporarily setting head->tail = head->end would do it I guess.
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists