lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8051fcd-4b5-7b32-887e-7df7a779be1b@tarent.de>
Date:   Wed, 12 Oct 2022 22:17:56 +0200 (CEST)
From:   Thorsten Glaser <t.glaser@...ent.de>
To:     Dave Taht <dave.taht@...il.com>
cc:     netdev@...r.kernel.org
Subject: Re: RFH, where did I go wrong?

Dixi quod…

> > I'll take a harder look, but does it crash if you rip out debugfs?
[…]
> And yes, it (commit dbb99579808dcf106264f28f3c8cf5ef2f2c05bf) still
> crashes even if this time I get yet another message… all of those I

I may have found the case by reducing further. Disabling the periodic
dropping of too-old packets wasn’t it, but apparently, the code now
guarded by JANZ_HEADDROP is it. Replacing it (dropping the oldest
packet returning NET_XMIT_CN) with trivial code that rejects the new
packet-to-be-enqueued with qdisc_drop() instead… seems to not crash.

So, the code in question that seems to introduce the crash is:


u32 prev_backlog = sch->qstats.backlog;
//… normal code to add the passed skb (timestamp, etc.)
// q->memusage += cb->truesz;
if (unlikely(overlimit = (++sch->q.qlen > sch->limit))) {
	struct sk_buff *skbtodrop;
	/* skbtodrop = head of FIFO and remove it from the FIFO */
	skbtodrop = q->q[1].first;
	if (!(q->q[1].first = skbtodrop->next))
		q->q[1].last = NULL;
	--sch->q.qlen;
	/* accounting */
	q->memusage -= get_janz_skb(skbtodrop)->truesz;
	qdisc_qstats_backlog_dec(sch, skbtodrop);
	/* free the skb */
	rtnl_kfree_skbs(skbtodrop, skbtodrop)
}
//… normal code to add:
// line 879-885 enqueue into the FIFO
// qdisc_qstats_backlog_inc(sch, skb);
//… now code protected by the flag again:
if (unlikely(overlimit)) {
	qdisc_qstats_overlimit(sch);
	qdisc_tree_reduce_backlog(sch, 0,
	    prev_backlog - sch->qstats.backlog);
	return (NET_XMIT_CN);
}
// normal code remaining: return (NET_XMIT_SUCCESS);


This *seems* pretty straightforward to me, given similar code
in other qdiscs, and what I could learn from their header and
implementation.

TIA,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

                        ****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against      Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also,     https://www.tarent.de/newsletter
╱ ╲ header encryption!
                        ****************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ