lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Oct 2016 23:38:51 -0700 From: Krister Johansen <kjlx@...pleofstupid.com> To: Jamal Hadi Salim <jhs@...atatu.com> Cc: Krister Johansen <kjlx@...pleofstupid.com>, netdev@...r.kernel.org, Cong Wang <xiyou.wangcong@...il.com> Subject: Re: [PATCH net] Panic when tc_lookup_action_n finds a partially initialized action. On Sun, Oct 02, 2016 at 09:18:06PM -0400, Jamal Hadi Salim wrote: > On 16-10-01 11:13 PM, Krister Johansen wrote: > >A tc_action_ops structure is visibile as soon as it is placed in the > >act_base list. When tcf_regsiter_action adds an item to this list and > >drops act_mod_lock, registration is not complete until > >register_pernet_subsys() finishes. > > > >If two threads attempt to modify a tc action in a way that triggers a > >module load, the thread that wins the race ends up defeferencing a NULL > >pointer after tcf_action_init_1() invokes a_o->init(). In the > >particular case that this submitter encountered, the panic occurred in > >tcf_gact_init() when net_generic() returned a NULL tc_action_net > >pointer. The gact_net_id needed to fetch the correct pointer was not > >yet set, because the register_pernet_subsys() call was pending in > >another thread. > > > >Fixes: ddf97ccdd7cb ("net_sched: add network namespace support for tc actions") > >Signed-off-by: Krister Johansen <kjlx@...pleofstupid.com> > > Looks reasonable to me but will let Cong a closer look since he added > that code. Thanks, I appreicate you taking a look. I'll follow up with Cong. -K
Powered by blists - more mailing lists