From: Paolo Abeni <pabeni@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>,
David Miller <davem@davemloft.net>
Cc: Willem de Bruijn <willemb@google.com>, netdev <netdev@vger.kernel.org>
Subject: Re: [PATCH v2 net] udp: on peeking bad csum, drop packets even if not at head
Date: Tue, 22 Aug 2017 18:47:42 +0200 [thread overview]
Message-ID: <1503420462.13544.9.camel@redhat.com> (raw)
In-Reply-To: <1503419968.2499.33.camel@edumazet-glaptop3.roam.corp.google.com>
On Tue, 2017-08-22 at 09:39 -0700, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> When peeking, if a bad csum is discovered, the skb is unlinked from
> the queue with __sk_queue_drop_skb and the peek operation restarted.
>
> __sk_queue_drop_skb only drops packets that match the queue head.
>
> This fails if the skb was found after the head, using SO_PEEK_OFF
> socket option. This causes an infinite loop.
>
> We MUST drop this problematic skb, and we can simply check if skb was
> already removed by another thread, by looking at skb->next :
>
> This pointer is set to NULL by the __skb_unlink() operation, that might
> have happened only under the spinlock protection.
>
> Many thanks to syzkaller team (and particularly Dmitry Vyukov who
> provided us nice C reproducers exhibiting the lockup) and Willem de
> Bruijn who provided first version for this patch and a test program.
>
> Fixes: 627d2d6b5500 ("udp: enable MSG_PEEK at non-zero offset")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Willem de Bruijn <willemb@google.com>
> ---
> net/core/datagram.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/datagram.c b/net/core/datagram.c
> index a21ca8dee5ea..8c2f4489ff8f 100644
> --- a/net/core/datagram.c
> +++ b/net/core/datagram.c
> @@ -362,7 +362,7 @@ int __sk_queue_drop_skb(struct sock *sk, struct sk_buff_head *sk_queue,
> if (flags & MSG_PEEK) {
> err = -ENOENT;
> spin_lock_bh(&sk_queue->lock);
> - if (skb == skb_peek(sk_queue)) {
> + if (skb->next) {
> __skb_unlink(skb, sk_queue);
> refcount_dec(&skb->users);
> if (destructor)
>
This version is really nice!
Acked-by: Paolo Abeni <pabeni@redhat.com>
next prev parent reply other threads:[~2017-08-22 16:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-21 21:39 [PATCH net] udp: on peeking bad csum, drop packets even if not at head Willem de Bruijn
2017-08-21 22:37 ` Willem de Bruijn
2017-08-21 22:40 ` Eric Dumazet
2017-08-22 0:12 ` Willem de Bruijn
2017-08-22 1:11 ` Willem de Bruijn
2017-08-22 16:39 ` [PATCH v2 " Eric Dumazet
2017-08-22 16:47 ` Paolo Abeni [this message]
2017-08-22 17:29 ` Willem de Bruijn
2017-08-22 21:28 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503420462.13544.9.camel@redhat.com \
--to=pabeni@redhat.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.