lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20160406181010.GA17455@jwg>
Date:	Wed, 6 Apr 2016 11:10:11 -0700
From:	Weongyo Jeong <weongyo.linux@...il.com>
To:	Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc:	Network Development <netdev@...r.kernel.org>,
	"David S. Miller" <davem@...emloft.net>,
	Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH] packet: uses kfree_skb() for drop.

On Wed, Apr 06, 2016 at 01:27:11PM -0400, Willem de Bruijn wrote:
> On Wed, Apr 6, 2016 at 12:54 PM, Weongyo Jeong <weongyo.linux@...il.com> wrote:
> > consume_skb() isn't for drop or error cases.  kfree_skb() is more proper
> > one.
> > Signed-off-by: Weongyo Jeong <weongyo.linux@...il.com>
> > ---
> >  net/packet/af_packet.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> > index 1ecfa71..a75d5bf 100644
> > --- a/net/packet/af_packet.c
> > +++ b/net/packet/af_packet.c
> > @@ -2141,7 +2141,7 @@ drop_n_restore:
> >                 skb->len = skb_len;
> >         }
> >  drop:
> > -       consume_skb(skb);
> > +       kfree_skb(skb);
> 
> This does show an inconsistency between packet_rcv and tpacket_rcv,
> which calls kfree_skb.
> 
> A comment at consume_skb mentions that kfree_skb is intended for drops
> that signal a failure condition, and indeed, that makes it a useful
> way to track errors (e.g., with perf record -a -g -e skb:kfree_skb).
> 
> This drop path is not always an error path, though. These network taps
> will legitimately drop references to any packets not destined to them.
> To be precise, only the drop_n_acct label cases are delivery errors
> (drops after the filter accepted the packet). Changing unconditionally
> to kfree_skb does pollute that useful counter with false positives. A
> pedantic solution is to change both functions to only call kfree_skb
> on drop_n_acct and consume_skb otherwise.
> 
> This shorthand change does at least makes packet_rcv and tpacket_rcv more alike.

Thank you for comments.  I'll try to submit patch v2 for this case.

Regards,
Weongyo Jeong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ