| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fe103dee-bba8-1e0d-83b2-f91c2c37089d@gmail.com>
Date: Fri, 16 Aug 2019 10:23:55 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Hangbin Liu <liuhangbin@...il.com>
Cc: netdev@...r.kernel.org, Stefano Brivio <sbrivio@...hat.com>,
wenxu <wenxu@...oud.cn>, Alexei Starovoitov <ast@...com>,
"David S . Miller" <davem@...emloft.net>
Subject: Re: [PATCH net] tunnel: fix dev null pointer dereference when send
pkg larger than mtu in collect_md mode
On 8/16/19 5:24 AM, Hangbin Liu wrote:
> Hi Eric,
>
> Thanks for the review.
> On Thu, Aug 15, 2019 at 11:16:58AM +0200, Eric Dumazet wrote:
>>> diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
>>> index 38c02bb62e2c..c6713c7287df 100644
>>> --- a/net/ipv4/ip_tunnel.c
>>> +++ b/net/ipv4/ip_tunnel.c
>>> @@ -597,6 +597,9 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
>>> goto tx_error;
>>> }
>>>
>>> + if (skb_dst(skb) && !skb_dst(skb)->dev)
>>> + skb_dst(skb)->dev = rt->dst.dev;
>>> +
>>
>>
>> IMO this looks wrong.
>> This dst seems shared.
>
> If the dst is shared, it may cause some problem. Could you point me where the
> dst may be shared possibly?
>
dst are inherently shared.
This is why we have a refcount on them.
Only when the dst has been allocated by the current thread we can make changes on them.
Powered by blists - more mailing lists