Re: [Devel] Re: [PATCH] Copy mac_len in skb_clone() as well
From: Kirill Korotaev <[EMAIL PROTECTED]> Date: Thu, 15 Mar 2007 13:33:12 +0300 > David Miller wrote: > > From: Alexey Dobriyan <[EMAIL PROTECTED]> > > Date: Wed, 14 Mar 2007 16:07:11 +0300 > > > > > >>ANK says: "It is rarely used, that's wy it was not noticed. > >>But in the places, where it is used, it should be disaster." > >> > >>Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]> > > > > > > Applied. > > > > What bug triggered that helped you discover this? Or is it > > merely from a code audit? > Ohhh, it is a fairy-tale to tell the truth :) > We had some unexplainable problems with java application in OpenVZ kernel. > It didn't work sometimes, but worked fine (!) with CONFIG_SLAB_DEBUG. > Alexey blamed java :), but ... > Then we found that poising one of the bits in slab cache was curing it. > After that we found that the problem is related to fclone cache. > And then we found that not all the fields are initialized during cloning. > The bug was related to our own skb->field we introduced, > but we analyzed the code and found this as well. Thanks for the detailed information. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Copy mac_len in skb_clone() as well
Hello! > What bug triggered that helped you discover this? Or is it > merely from a code audit? I asked the same question. :-) openvz added some another fields to skbuff and when it was found that they are lost while clone, he tried to figure out how all this works and looked for another examples of this kind. As I understand, the problem can be seen only in xfrmX_tunnel_input. If uninitialized mac_len obtained from slab is more than current head room it could corrupt memory. Also, it looks like the fix is incomplete. copy_skb_header() also does not copy this field. But it will be initialized to 0 by alloc_skb in this case and xfrmX_tunnel_input() just will not copy mac header. Alexey - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Devel] Re: [PATCH] Copy mac_len in skb_clone() as well
David Miller wrote: > From: Alexey Dobriyan <[EMAIL PROTECTED]> > Date: Wed, 14 Mar 2007 16:07:11 +0300 > > >>ANK says: "It is rarely used, that's wy it was not noticed. >>But in the places, where it is used, it should be disaster." >> >>Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]> > > > Applied. > > What bug triggered that helped you discover this? Or is it > merely from a code audit? Ohhh, it is a fairy-tale to tell the truth :) We had some unexplainable problems with java application in OpenVZ kernel. It didn't work sometimes, but worked fine (!) with CONFIG_SLAB_DEBUG. Alexey blamed java :), but ... Then we found that poising one of the bits in slab cache was curing it. After that we found that the problem is related to fclone cache. And then we found that not all the fields are initialized during cloning. The bug was related to our own skb->field we introduced, but we analyzed the code and found this as well. Thanks, Kirill - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Copy mac_len in skb_clone() as well
From: Alexey Dobriyan <[EMAIL PROTECTED]> Date: Wed, 14 Mar 2007 16:07:11 +0300 > ANK says: "It is rarely used, that's wy it was not noticed. > But in the places, where it is used, it should be disaster." > > Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]> Applied. What bug triggered that helped you discover this? Or is it merely from a code audit? Thanks. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] Copy mac_len in skb_clone() as well
ANK says: "It is rarely used, that's wy it was not noticed. But in the places, where it is used, it should be disaster." Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]> --- net/core/skbuff.c |1 + 1 file changed, 1 insertion(+) --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -463,6 +463,7 @@ #endif memcpy(n->cb, skb->cb, sizeof(skb->cb)); C(len); C(data_len); + C(mac_len); C(csum); C(local_df); n->cloned = 1; - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
