lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 22 Apr 2014 14:29:38 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Jon Maloy <jon.maloy@...csson.com>
Cc:	Erik Hugne <erik.hugne@...csson.com>, netdev@...r.kernel.org
Subject: Re: skb_try_coalesce bug?

On Tue, 2014-04-22 at 16:35 -0400, Jon Maloy wrote:
> On 04/22/2014 04:05 PM, Eric Dumazet wrote:
> > On Tue, 2014-04-22 at 15:38 -0400, Jon Maloy wrote:
> > 
> >>
> >> In the case I encountered, our head buffer is linear (skb->data_len == 0),
> >> so it is the real tailroom value that is returned. An alas, that one is big
> >> enough to contain the last (small) fragment of the message.
> > 
> > 
> > Whole point of skb_try_coalesce() is to coalesce as much as possible,
> > without guarantee of keeping some sort of 'segments'
> > 
> > skb_try_coalesce - try to merge skb to prior one
> > 
> > If you do not want this to happen, (you seem to want nothing else in
> > your head buffer skb->head), you need to add some logic.
> 
> Ok. I should have given a little background.
> 
> 1: We send a message of 3041 bytes, inclusive TIPC header, via loopback interface.
> 
> 2: This one gets chopped up in three fragments: 1420, 1420,and 201 bytes.
>    (The mtu was of course wrong, but this is how I discovered the problem).
> 
> 3: First fragment is received, uncloned, and serves as head.
> 
> 4;  Second fragment (a clone) is received. skb_try_coalesce() fails at
>     the skb_head_is_locked() test, because the buffer is a clone.
>     Because of this, we add the buffer to skb_shinfo(head)->frag_list
>     instead.

Then if you do that, you also need to change head->data_len !

> 
> 5: Third fragment (also a clone) is received. Now, since we check for
>    space in tailroom of header before we do anything else, it slips
>    in there, and bypasses the already chained-up second segment.

Only because you failed to tell the world @head was no longer linear.



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ