| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Sep 2014 07:40:18 -0700 From: Alexander Duyck <alexander.h.duyck@...el.com> To: Arend van Spriel <arend@...adcom.com>, Johannes Berg <johannes@...solutions.net> CC: netdev@...r.kernel.org, linux-wireless@...r.kernel.org, davem@...emloft.net, eric.dumazet@...il.com, linville@...driver.com Subject: Re: [PATCH net-next 2/2] mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path On 09/11/2014 02:38 AM, Arend van Spriel wrote: > On 09/11/14 09:06, Johannes Berg wrote: >> On Wed, 2014-09-10 at 18:05 -0400, Alexander Duyck wrote: >>> There is a possible issue with the use, or lack thereof of sk_refcnt and >>> sk_wmem_alloc in the wifi ack status functionality. >>> >>> Specifically if a socket were to request acknowledgements, and the >>> socket >>> were to have sk_refcnt drop to 0 resulting in it waiting on >>> sk_wmem_alloc >>> to reach 0 it would be possible to have sock_queue_err_skb orphan the >>> last >>> buffer, resulting in __sk_free being called on the socket. After >>> this the >>> buffer is enqueued on sk_error_queue, however the queue has already been >>> flushed resulting in at least a memory leak, if not a data corruption. >> >> Oh. Thanks :-) > > Hi Alexander, > > So why is this only an issue in wifi ack path. The sock_queue_err_skb() > does not mention the caller should hold a sock reference. This seems > entirely an issue of the sock_queue_err_skb() function itself so why not > do sk_hold/sk_put within that function. Does it impose too much overhead? > > Regards, > Arend I considered it but there are a number of cases where this is not an issue. For example in the tx timestamping path there is the software timestamp case where the buffer is cloned and the clone is queued immediately onto the sk_error_queue. In that case we still have a reference in the other skb that is maintaining the socket. So I thought it best to just address the cases where I know this could be a problem. I had already addressed it in the timestamping for hardware timestamps where we are doing something similar. So I thought it would make sense to cover the other case that should have the same problems. Thanks, Alex -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists