lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 17 Nov 2014 18:19:23 -0800
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Wengang <wen.gang.wang@...cle.com>
Cc:	Jay Vosburgh <jay.vosburgh@...onical.com>, netdev@...r.kernel.org
Subject: Re: [PATCH] [bonding]: clear header_ops when last slave detached

On Tue, 2014-11-18 at 09:56 +0800, Wengang wrote:
> Hi Jay,
> 
> 于 2014年11月18日 09:38, Jay Vosburgh 写道:
> > Wengang <wen.gang.wang@...cle.com> wrote:
> >
> >> Hi,
> >>
> >> Could anybody please review this patch?
> > 	I don't see that the original of this ever came through netdev.
> 
> Oh, that' bad. I sent this to netdev@...r.kernel.org. The mail address 
> is wrong?
> 
> >> thanks,
> >> wengang
> >>
> >> 于 2014年11月13日 10:19, Wengang Wang 写道:
> >>> When last slave of a bonding master is removed, the bonding then does not work.
> >>> When packet_snd is called against with a master net_device, it accesses
> >>> header_ops. In case the header_ops is not valid any longer(say module unloaded)
> >>> it will then access an invalid memory address.
> >>> This patch try to fix this issue by clearing header_ops when last slave
> >>> detached.
> > 	Am I correct in presuming that this behavior is limited to ipoib
> > slaves only?  I don't see that this could occur with ethernet slaves, as
> > eth_header_ops isn't part of a module.  This needs to be mentioned in
> > the commit log.
> Yes, the problem is found with ipoib slaves.
> >>> Signed-off-by: Wengang Wang <wen.gang.wang@...cle.com>
> >>> ---
> >>>    drivers/net/bonding/bond_main.c | 2 ++
> >>>    1 file changed, 2 insertions(+)
> >>>
> >>> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> >>> index c9ac06c..84a34fc 100644
> >>> --- a/drivers/net/bonding/bond_main.c
> >>> +++ b/drivers/net/bonding/bond_main.c
> >>> @@ -1728,6 +1728,8 @@ static int __bond_release_one(struct net_device *bond_dev,
> >>>    	unblock_netpoll_tx();
> >>>    	synchronize_rcu();
> >>>    	bond->slave_cnt--;
> >>> +	if (!bond->slave_cnt)
> >>> +		bond->dev->header_ops = NULL;
> >>>      	if (!bond_has_slaves(bond)) {
> >>>    		call_netdevice_notifiers(NETDEV_CHANGEADDR, bond->dev);
> > 	I believe your addition could be moved into the block for the
> > next if, as "!bond->slave_cnt" is essentially "!bond_has_slaves()".
> 
> Yes, Agree.
> I will send the second prompt soon with commit message mentioning ipoib.

I really don't like this patch. Its quite racy.

bond_setup_by_slave() kind of assume slave_dev->header_ops is always
present. 

No rcu protection, no module refcount protection for struct header_ops

Considering ipoib_hard_header() is quite small, you might instead move
ipoib_hard_header() and ipoib_header_ops in static vmlinux, like we do
for eth_header_ops.



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ