Daniel Borkmann <dan...@iogearbox.net> wrote: > On 01/23/2016 08:25 PM, Florian Westphal wrote: > >Dmitry Vyukov <dvyu...@google.com> wrote: > > > >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ] > > > >>The following program causes GPF in netlink_getsockbyportid: [..]
> >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/ > > > >root cause is in nfnetlink_rcv_batch(): > > > >296 replay: > >297 status = 0; > >298 > >299 skb = netlink_skb_clone(oskb, GFP_KERNEL); > > > >The clone op doesn't copy oskb->sk, so we oops in > >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch > >tries to send netlink ack. > > If indeed oskb is the mmap'ed netlink skb, then it's not even allowed > to call into skb_clone() Right, but in this case there is no mmap'd netlink sk involved -- we crash when we try to look up dst netlink socket to see if there is an mmap'd ring attached. [ and that code isn't there with CONFIG_NETLINK_MMAP=n ].
