lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <8051fcd-4b5-7b32-887e-7df7a779be1b@tarent.de> Date: Wed, 12 Oct 2022 22:17:56 +0200 (CEST) From: Thorsten Glaser <t.glaser@...ent.de> To: Dave Taht <dave.taht@...il.com> cc: netdev@...r.kernel.org Subject: Re: RFH, where did I go wrong? Dixi quod… > > I'll take a harder look, but does it crash if you rip out debugfs? […] > And yes, it (commit dbb99579808dcf106264f28f3c8cf5ef2f2c05bf) still > crashes even if this time I get yet another message… all of those I I may have found the case by reducing further. Disabling the periodic dropping of too-old packets wasn’t it, but apparently, the code now guarded by JANZ_HEADDROP is it. Replacing it (dropping the oldest packet returning NET_XMIT_CN) with trivial code that rejects the new packet-to-be-enqueued with qdisc_drop() instead… seems to not crash. So, the code in question that seems to introduce the crash is: u32 prev_backlog = sch->qstats.backlog; //… normal code to add the passed skb (timestamp, etc.) // q->memusage += cb->truesz; if (unlikely(overlimit = (++sch->q.qlen > sch->limit))) { struct sk_buff *skbtodrop; /* skbtodrop = head of FIFO and remove it from the FIFO */ skbtodrop = q->q[1].first; if (!(q->q[1].first = skbtodrop->next)) q->q[1].last = NULL; --sch->q.qlen; /* accounting */ q->memusage -= get_janz_skb(skbtodrop)->truesz; qdisc_qstats_backlog_dec(sch, skbtodrop); /* free the skb */ rtnl_kfree_skbs(skbtodrop, skbtodrop) } //… normal code to add: // line 879-885 enqueue into the FIFO // qdisc_qstats_backlog_inc(sch, skb); //… now code protected by the flag again: if (unlikely(overlimit)) { qdisc_qstats_overlimit(sch); qdisc_tree_reduce_backlog(sch, 0, prev_backlog - sch->qstats.backlog); return (NET_XMIT_CN); } // normal code remaining: return (NET_XMIT_SUCCESS); This *seems* pretty straightforward to me, given similar code in other qdiscs, and what I could learn from their header and implementation. TIA, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg **************************************************** /⁀\ The UTF-8 Ribbon ╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: ╳ HTML eMail! Also, https://www.tarent.de/newsletter ╱ ╲ header encryption! ****************************************************
Powered by blists - more mailing lists