Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Olof Johansson <olof@lixom.net>
To: David Miller <davem@davemloft.net>
Cc: xemul@openvz.org, netdev@vger.kernel.org, devel@openvz.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone()
Date: Thu, 18 Oct 2007 21:29:47 -0500	[thread overview]
Message-ID: <20071019022947.GA29560@lixom.net> (raw)
In-Reply-To: <20071017.212302.68039057.davem@davemloft.net>

On Wed, Oct 17, 2007 at 09:23:02PM -0700, David Miller wrote:
[...]
> > The same problem exists for detaching filter (SO_DETACH_FILTER).
> > 
> > The proposed fix consists of 3 preparation patches and the fix itself.
> > 
> > Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
> 
> Looks good, applied.
> 
> Thanks for fixing this bug Pavel!

Looks like this might be causing problems, at least for me on ppc. This
happened during a normal boot, right around first interface config/dhcp
run..

cpu 0x0: Vector: 300 (Data Access) at [c00000000147b820]
    pc: c000000000435e5c: .sk_filter_delayed_uncharge+0x1c/0x60
    lr: c0000000004360d0: .sk_attach_filter+0x170/0x180
    sp: c00000000147baa0
   msr: 9000000000009032
   dar: 4
 dsisr: 40000000
  current = 0xc000000004780fa0
  paca    = 0xc000000000650480
    pid   = 1295, comm = dhclient3
0:mon> t
[c00000000147bb20] c0000000004360d0 .sk_attach_filter+0x170/0x180
[c00000000147bbd0] c000000000418988 .sock_setsockopt+0x788/0x7f0
[c00000000147bcb0] c000000000438a74 .compat_sys_setsockopt+0x4e4/0x5a0
[c00000000147bd90] c00000000043955c .compat_sys_socketcall+0x25c/0x2b0
[c00000000147be30] c000000000007508 syscall_exit+0x0/0x40
--- Exception: c01 (System Call) at 000000000ff618d8
SP (fffdf040) is in userspace
0:mon> 

I.e. null pointer deref at sk_filter_delayed_uncharge+0x1c:

0:mon> di $.sk_filter_delayed_uncharge
c000000000435e40  7c0802a6      mflr    r0
c000000000435e44  fbc1fff0      std     r30,-16(r1)
c000000000435e48  7c8b2378      mr      r11,r4
c000000000435e4c  ebc2cdd0      ld      r30,-12848(r2)
c000000000435e50  f8010010      std     r0,16(r1)
c000000000435e54  f821ff81      stdu    r1,-128(r1)
c000000000435e58  380300a4      addi    r0,r3,164
c000000000435e5c  81240004      lwz     r9,4(r4)

That's the deref of fp:

static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
{
        unsigned int size = sk_filter_len(fp);
...

That is called from sk_attach_filter():

...
        rcu_read_lock_bh();
        old_fp = rcu_dereference(sk->sk_filter);
        rcu_assign_pointer(sk->sk_filter, fp);
        rcu_read_unlock_bh();

        sk_filter_delayed_uncharge(sk, old_fp);
        return 0;
...

So, looks like rcu_dereference() returned NULL. I don't know the
filter code at all, but it seems like it might be a valid case?
sk_detach_filter() seems to handle a NULL sk_filter, at least.


So, this needs review by someone who knows the filter, but it fixes the
problem for me:


Signed-off-by: Olof Johansson <olof@lixom.net>

diff --git a/net/core/filter.c b/net/core/filter.c
index 1f0068e..e0a0694 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -447,7 +447,8 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
 	rcu_assign_pointer(sk->sk_filter, fp);
 	rcu_read_unlock_bh();
 
-	sk_filter_delayed_uncharge(sk, old_fp);
+	if (old_fp)
+		sk_filter_delayed_uncharge(sk, old_fp);
 	return 0;
 }

next prev parent reply	other threads:[~2007-10-19  2:23 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-17  9:45 [PATCH 0/4] Fix race between sk_filter reassign and sk_clone() Pavel Emelyanov
2007-10-17  9:47 ` [PATCH 1/4] Introduce the sk_detach_filter() call Pavel Emelyanov
2007-10-17  9:49 ` [PATCH 2/4] Move the filter releasing into a separate call Pavel Emelyanov
2007-10-17  9:51 ` [PATCH 3/4] Cleanup the error path in sk_attach_filter Pavel Emelyanov
2007-10-17  9:53 ` [PATCH 4/4] Fix the race between sk_filter_(de|at)tach and sk_clone() Pavel Emelyanov
2007-10-18  4:23 ` [PATCH 0/4] Fix race between sk_filter reassign " David Miller
2007-10-19  2:29   ` Olof Johansson [this message]
2007-10-19  4:55     ` David Miller
2007-10-19  7:37       ` Pavel Emelyanov
2007-10-19  7:52         ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1f0068e dfblob:e0a0694 )
 OR (
bs:"Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20071019022947.GA29560@lixom.net \
    --to=olof@lixom.net \
    --cc=davem@davemloft.net \
    --cc=devel@openvz.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=xemul@openvz.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.