| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20161004063851.GA2638@templeofstupid.com>
Date: Mon, 3 Oct 2016 23:38:51 -0700
From: Krister Johansen <kjlx@...pleofstupid.com>
To: Jamal Hadi Salim <jhs@...atatu.com>
Cc: Krister Johansen <kjlx@...pleofstupid.com>, netdev@...r.kernel.org,
Cong Wang <xiyou.wangcong@...il.com>
Subject: Re: [PATCH net] Panic when tc_lookup_action_n finds a partially
initialized action.
On Sun, Oct 02, 2016 at 09:18:06PM -0400, Jamal Hadi Salim wrote:
> On 16-10-01 11:13 PM, Krister Johansen wrote:
> >A tc_action_ops structure is visibile as soon as it is placed in the
> >act_base list. When tcf_regsiter_action adds an item to this list and
> >drops act_mod_lock, registration is not complete until
> >register_pernet_subsys() finishes.
> >
> >If two threads attempt to modify a tc action in a way that triggers a
> >module load, the thread that wins the race ends up defeferencing a NULL
> >pointer after tcf_action_init_1() invokes a_o->init(). In the
> >particular case that this submitter encountered, the panic occurred in
> >tcf_gact_init() when net_generic() returned a NULL tc_action_net
> >pointer. The gact_net_id needed to fetch the correct pointer was not
> >yet set, because the register_pernet_subsys() call was pending in
> >another thread.
> >
> >Fixes: ddf97ccdd7cb ("net_sched: add network namespace support for tc actions")
> >Signed-off-by: Krister Johansen <kjlx@...pleofstupid.com>
>
> Looks reasonable to me but will let Cong a closer look since he added
> that code.
Thanks, I appreicate you taking a look. I'll follow up with Cong.
-K
Powered by blists - more mailing lists