| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Nov 2017 18:08:42 +0900 (KST)
From: David Miller <davem@...emloft.net>
To: eric.dumazet@...il.com
Cc: netdev@...r.kernel.org, elena.reshetova@...el.com,
edumazet@...gle.com
Subject: Re: [PATCH net] tcp: gso: avoid refcount_t warning from
tcp_gso_segment()
From: Eric Dumazet <eric.dumazet@...il.com>
Date: Tue, 07 Nov 2017 15:15:04 -0800
> From: Eric Dumazet <edumazet@...gle.com>
>
> When a GSO skb of truesize O is segmented into 2 new skbs of truesize N1
> and N2, we want to transfer socket ownership to the new fresh skbs.
>
> In order to avoid expensive atomic operations on a cache line subject to
> cache bouncing, we replace the sequence :
>
> refcount_add(N1, &sk->sk_wmem_alloc);
> refcount_add(N2, &sk->sk_wmem_alloc); // repeated by number of segments
>
> refcount_sub(O, &sk->sk_wmem_alloc);
>
> by a single
>
> refcount_add(sum_of(N) - O, &sk->sk_wmem_alloc);
>
> Problem is :
>
> In some pathological cases, sum(N) - O might be a negative number, and
> syzkaller bot was apparently able to trigger this trace [1]
>
>
> atomic_t was ok with this construct, but we need to take care of the
> negative delta with refcount_t
...
> Fixes: 14afee4b6092 ("net: convert sock.sk_wmem_alloc from atomic_t to refcount_t")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: syzbot <syzkaller@...glegroups.com>
Applied and queued up for -stable, thanks Eric.
Powered by blists - more mailing lists