From: Eric Dumazet <eric.dumazet@gmail•com>
To: paulmck@linux•vnet.ibm.com
Cc: David Miller <davem@davemloft•net>,
emil.s.tantilov@intel•com, emils.tantilov@gmail•com,
netdev@vger•kernel.org, jesse.brandeburg@intel•com,
jeffrey.t.kirsher@intel•com, jolsa@redhat•com,
Patrick McHardy <kaber@trash•net>
Subject: Re: [PATCH] net: sk_prot_alloc() should not blindly overwrite memory
Date: Thu, 09 Jul 2009 22:50:00 +0200 [thread overview]
Message-ID: <4A5657F8.5090205@gmail.com> (raw)
In-Reply-To: <20090709171328.GB6723@linux.vnet.ibm.com>
Paul E. McKenney a écrit :
> On Thu, Jul 09, 2009 at 07:36:05AM +0200, Eric Dumazet wrote:
>> Eric Dumazet a écrit :
>>> David Miller a écrit :
>>>> From: Eric Dumazet <eric.dumazet@gmail•com>
>>>> Date: Wed, 08 Jul 2009 00:33:29 +0200
>>>>
>>>>> [PATCH] net: sk_prot_alloc() should not blindly overwrite memory
>>>>>
>>>>> Some sockets use SLAB_DESTROY_BY_RCU, and our RCU code rely that some
>>>>> fields should not be blindly overwritten, even with null.
>>>>>
>>>>> These fields are sk->sk_refcnt and sk->sk_nulls_node.next
>>>>>
>>>>> Current sk_prot_alloc() implementation doesnt respect this hypothesis,
>>>>> calling kmem_cache_alloc() with __GFP_ZERO and setting sk_refcnt to 1
>>>>> instead of atomically increment it.
>>>>>
>>>>> Reported-by: Emil S Tantilov <emils.tantilov@gmail•com>
>>>>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail•com>
>>>> I've applied this but will wait for some more testing before
>>>> I push it out for real to kernel.org
>>> Thanks David
>>>
>>> I forgot to CC Paul and Patrick, so I'll ask them to look at this patch.
>>>
>>> Patrick, a similar fix is needed in conntrack as well, we currently
>>> uses "ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp);" and thus
>>> overwrite struct hlist_nulls_node hnnode; contained
>>> in "struct nf_conntrack_tuple_hash", while lockless readers still
>>> potentialy need them. Setting hnnode.next to NULL is dangerous
>>> since last bit is not set (not a nulls value), a reader could
>>> try to dereference this NULL pointer and trap.
>>>
>>>
>>> Here is the patch again so that Paul & Patrick can comment on it.
>>>
>>> I am not sure about the refcnt thing (blindly setting it to 0 again
>>> should be OK in fact, since no reader should/can to the
>>> atomic_inc_if_not_zero on it), but the nulls.next thing is problematic.
>> Here is an updated and much simpler patch, taking care of sk_node.next being not set to 0
>>
>> This patch applies to >= 2.6.29 kernels
>
> Does this one also need the rearrangement of struct elements in the
> earlier patch? (And apologies about being slow to get to that one.)
>
No, because only one field (sk_node.next) needs special attention, I felt
it was not really necessary to reorder fields. First memset
is inlined because of constant size, so small cost.
Thanks
> Thanx, Paul
>
>> [PATCH] net: sk_prot_alloc() should not blindly overwrite memory
>>
>> Some sockets use SLAB_DESTROY_BY_RCU, and our RCU code correctness
>> depends on sk->sk_nulls_node.next being always valid. A NULL
>> value is not allowed as it might fault a lockless reader.
>>
>> Current sk_prot_alloc() implementation doesnt respect this hypothesis,
>> calling kmem_cache_alloc() with __GFP_ZERO. Just call memset() around
>> the forbidden field.
>>
>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail•com>
>> ---
>> diff --git a/net/core/sock.c b/net/core/sock.c
>> index b0ba569..7b87ec0 100644
>> --- a/net/core/sock.c
>> +++ b/net/core/sock.c
>> @@ -939,8 +939,23 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
>> struct kmem_cache *slab;
>>
>> slab = prot->slab;
>> - if (slab != NULL)
>> - sk = kmem_cache_alloc(slab, priority);
>> + if (slab != NULL) {
>> + sk = kmem_cache_alloc(slab, priority & ~__GFP_ZERO);
>> + if (!sk)
>> + return sk;
>> + if (priority & __GFP_ZERO) {
>> + /*
>> + * caches using SLAB_DESTROY_BY_RCU should let
>> + * sk_node.next un-modified. Special care is taken
>> + * when initializing object to zero.
>> + */
>> + if (offsetof(struct sock, sk_node.next) != 0)
>> + memset(sk, 0, offsetof(struct sock, sk_node.next));
>> + memset(&sk->sk_node.pprev, 0,
>> + prot->obj_size - offsetof(struct sock,
>> + sk_node.pprev));
>> + }
>> + }
>> else
>> sk = kmalloc(prot->obj_size, priority);
>>
next prev parent reply other threads:[~2009-07-09 20:50 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-01 18:08 WARNING: at include/net/sock.h:417 udp_lib_unhash Tantilov, Emil S
2009-07-02 6:10 ` Eric Dumazet
2009-07-07 0:54 ` Emil S Tantilov
2009-07-07 7:21 ` Eric Dumazet
2009-07-07 7:40 ` Eric Dumazet
2009-07-07 16:14 ` [PATCH] net: sk_alloc() should not blindly overwrite memory Eric Dumazet
2009-07-07 18:33 ` Tantilov, Emil S
2009-07-07 22:33 ` [PATCH] net: sk_prot_alloc() " Eric Dumazet
2009-07-08 2:14 ` David Miller
2009-07-08 6:50 ` Eric Dumazet
2009-07-09 5:36 ` Eric Dumazet
2009-07-09 17:13 ` Paul E. McKenney
2009-07-09 20:50 ` Eric Dumazet [this message]
2009-07-12 3:27 ` David Miller
2009-07-12 7:07 ` Eric Dumazet
2009-07-15 12:28 ` [PATCH] net: nf_conntrack_alloc() should not use kmem_cache_zalloc() Eric Dumazet
2009-07-15 15:28 ` Patrick McHardy
2009-07-15 19:54 ` [PATCH] net: nf_conntrack_alloc() fixes Eric Dumazet
2009-07-16 9:13 ` [PATCH] net: sock_copy() fixes Eric Dumazet
2009-07-17 1:09 ` David Miller
2009-07-16 12:05 ` [PATCH] net: nf_conntrack_alloc() fixes Patrick McHardy
2009-07-08 17:02 ` [PATCH] net: sk_prot_alloc() should not blindly overwrite memory Tantilov, Emil S
2009-07-08 17:45 ` David Miller
2009-07-08 23:21 ` Eric Dumazet
2009-07-08 23:35 ` Tantilov, Emil S
2009-07-09 0:20 ` [PATCH] net: ip_push_pending_frames() fix Eric Dumazet
2009-07-09 14:32 ` Tantilov, Emil S
2009-07-09 14:38 ` Eric Dumazet
2009-07-12 3:27 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A5657F8.5090205@gmail.com \
--to=eric.dumazet@gmail$(echo .)com \
--cc=davem@davemloft$(echo .)net \
--cc=emil.s.tantilov@intel$(echo .)com \
--cc=emils.tantilov@gmail$(echo .)com \
--cc=jeffrey.t.kirsher@intel$(echo .)com \
--cc=jesse.brandeburg@intel$(echo .)com \
--cc=jolsa@redhat$(echo .)com \
--cc=kaber@trash$(echo .)net \
--cc=netdev@vger$(echo .)kernel.org \
--cc=paulmck@linux$(echo .)vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox