From: David Miller <davem@davemloft.net>
To: johannes@sipsolutions.net
Cc: mb@bu3sch.de, netdev@vger.kernel.org, linux-wireless@vger.kernel.org
Subject: Re: mac80211 truesize bugs
Date: Thu, 01 May 2008 02:43:20 -0700 (PDT) [thread overview]
Message-ID: <20080501.024320.212547875.davem@davemloft.net> (raw)
In-Reply-To: <1209634349.4008.15.camel@johannes.berg>
RnJvbTogSm9oYW5uZXMgQmVyZyA8am9oYW5uZXNAc2lwc29sdXRpb25zLm5ldD4NCkRhdGU6IFRo
dSwgMDEgTWF5IDIwMDggMTE6MzI6MjkgKzAyMDANCg0KPiBPbiBUaHUsIDIwMDgtMDUtMDEgYXQg
MDI6MjAgLTA3MDAsIERhdmlkIE1pbGxlciB3cm90ZToNCj4gPiBGcm9tOiBKb2hhbm5lcyBCZXJn
IDxqb2hhbm5lc0BzaXBzb2x1dGlvbnMubmV0Pg0KPiA+IERhdGU6IFRodSwgMDEgTWF5IDIwMDgg
MTE6MDg6MDYgKzAyMDANCj4gPiANCj4gPiA+ID4gU2VlbXMgdGhlIHNrYi0+ZGVzdHJ1Y3RvciBt
ZXNzZXMgaXQgdXAuDQo+ID4gPiANCj4gPiA+IEFjdHVhbGx5LCBpdCBzZWVtcyB0byBiZSBvdXRz
aWRlIG9mIG1hYzgwMjExLCBJIHB1dCBpbiBhIFdBUk5fT04oKSBhbmQNCj4gPiA+IGdvdCB0aGlz
Og0KPiA+IA0KPiA+IFlvdSdyZSBqdXN0IHNlZWluZyB3aG8gZnJlZWQgaXQgbGFzdCBoZXJlLg0K
PiA+IA0KPiA+IEl0IGNvdWxkIGhhdmUgaGFkIGl0J3MgLT50cnVlc2l6ZSBwdXQgaW50byBhbiBp
bGxlZ2FsIHN0YXRlDQo+ID4gZWxzZXdoZXJlLg0KPiANCj4gWWVzLCBJIGtub3csIGJ1dCBpdCBk
b2Vzbid0IGNvbWUgZnJvbSBteSBza2Jfb3JwaGFuKCkgY2FsbC4gSGVuY2UsIEkNCj4ganVzdCDv
u79uZXRpZl9yeCgpIHRoZSBwYWNrZXQgd2hpY2ggbWFrZXMgaXQgZ28gb250byB0aGUgaW5wdXRf
cGt0X3F1ZXVlDQo+IGFuZCB0aGVuIHRvIG5ldGlmX3JlY2VpdmVfc2tiKCkgd2hpY2ggZ2l2ZXMg
aXQgdG8gYWZfcGFja2V0IGFuZCBhbGwNCj4gb3RoZXJzIHNob3VsZCBpZ25vcmUgaXQgc2luY2Ug
SSBzZXQg77u/UEFDS0VUX09USEVSSE9TVC4NCg0KSSBsb29rZWQgYXQgdGhlIG1hYzgwMjExIGNv
ZGUsIHRoZSBwcm9ibGVtIGlzIHRoZSBza2JfcHVzaCgpIHlvdQ0KZ3V5cyBkbyBpbiB0aGlzIHNp
dHVhdGlvbi4NCg0KVGhpbmdzIGxpa2UgbG9vcGJhY2ssIHdoaWNoIGFsc28gb3JwaGFuIHRoZW4g
cmVpbmplY3QsIGRvbid0IHRyaWdnZXINCnRoaXMgcHJvYmxlbSBiZWNhdXNlIHRoZSByZS1pbnB1
dCBwYXRoIHRyaW1zIHRoaW5ncywgbmV2ZXIgYWRkcy4NCg0KVGhlIGdvb2QgbmV3cyBpcyB0aGF0
IHRoaXMgaXMgZWFzeSB0byBmaXguDQoNClNpbmNlIHlvdSd2ZSBvcnBoYW5lZCB0aGUgU0tCLCBz
aW1wbHkgYWRqdXN0IHNrYi0+dHJ1ZXNpemUgYXMgeW91DQpkbyBwdXNoZXMuICBMaWtlIHRoaXM6
DQoNCm1hYzgwMjExOiBBZGp1c3QgdHJ1ZXNpemUgaW4gaWVlZTgwMjExX3R4X3N0YXR1cygpIHdo
ZW4gcmVpbmplY3RpbmcuDQoNClNpZ25lZC1vZmYtYnk6IERhdmlkIFMuIE1pbGxlciA8ZGF2ZW1A
ZGF2ZW1sb2Z0Lm5ldD4NCg0KZGlmZiAtLWdpdCBhL25ldC9tYWM4MDIxMS9tYWluLmMgYi9uZXQv
bWFjODAyMTEvbWFpbi5jDQppbmRleCA5YWQ0ZTM2Li5kZTJlOTA0IDEwMDY0NA0KLS0tIGEvbmV0
L21hYzgwMjExL21haW4uYw0KKysrIGIvbmV0L21hYzgwMjExL21haW4uYw0KQEAgLTE0ODUsNiAr
MTQ4NSw5IEBAIHZvaWQgaWVlZTgwMjExX3R4X3N0YXR1cyhzdHJ1Y3QgaWVlZTgwMjExX2h3ICpo
dywgc3RydWN0IHNrX2J1ZmYgKnNrYiwNCiAJcnRoZHIgPSAoc3RydWN0IGllZWU4MDIxMV90eF9z
dGF0dXNfcnRhcF9oZHIqKQ0KIAkJCQlza2JfcHVzaChza2IsIHNpemVvZigqcnRoZHIpKTsNCiAN
CisJLyogVGhpcyBpcyBzYWZlIGJlY2F1c2UgdGhlIGJ1ZmZlciBoYXMgYmVlbiBvcnBoYW5lZC4g
ICovDQorCXNrYi0+dHJ1ZXNpemUgKz0gc2l6ZW9mKCpydGhkcik7DQorDQogCW1lbXNldChydGhk
ciwgMCwgc2l6ZW9mKCpydGhkcikpOw0KIAlydGhkci0+aGRyLml0X2xlbiA9IGNwdV90b19sZTE2
KHNpemVvZigqcnRoZHIpKTsNCiAJcnRoZHItPmhkci5pdF9wcmVzZW50ID0NCg==
WARNING: multiple messages have this Message-ID (diff)
From: David Miller <davem@davemloft.net>
To: johannes@sipsolutions.net
Cc: mb@bu3sch.de, netdev@vger.kernel.org, linux-wireless@vger.kernel.org
Subject: Re: mac80211 truesize bugs
Date: Thu, 01 May 2008 02:43:20 -0700 (PDT) [thread overview]
Message-ID: <20080501.024320.212547875.davem@davemloft.net> (raw)
In-Reply-To: <1209634349.4008.15.camel@johannes.berg>
From: Johannes Berg <johannes@sipsolutions.net>
Date: Thu, 01 May 2008 11:32:29 +0200
> On Thu, 2008-05-01 at 02:20 -0700, David Miller wrote:
> > From: Johannes Berg <johannes@sipsolutions.net>
> > Date: Thu, 01 May 2008 11:08:06 +0200
> >
> > > > Seems the skb->destructor messes it up.
> > >
> > > Actually, it seems to be outside of mac80211, I put in a WARN_ON() and
> > > got this:
> >
> > You're just seeing who freed it last here.
> >
> > It could have had it's ->truesize put into an illegal state
> > elsewhere.
>
> Yes, I know, but it doesn't come from my skb_orphan() call. Hence, I
> just netif_rx() the packet which makes it go onto the input_pkt_queue
> and then to netif_receive_skb() which gives it to af_packet and all
> others should ignore it since I set PACKET_OTHERHOST.
I looked at the mac80211 code, the problem is the skb_push() you
guys do in this situation.
Things like loopback, which also orphan then reinject, don't trigger
this problem because the re-input path trims things, never adds.
The good news is that this is easy to fix.
Since you've orphaned the SKB, simply adjust skb->truesize as you
do pushes. Like this:
mac80211: Adjust truesize in ieee80211_tx_status() when reinjecting.
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 9ad4e36..de2e904 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1485,6 +1485,9 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
rthdr = (struct ieee80211_tx_status_rtap_hdr*)
skb_push(skb, sizeof(*rthdr));
+ /* This is safe because the buffer has been orphaned. */
+ skb->truesize += sizeof(*rthdr);
+
memset(rthdr, 0, sizeof(*rthdr));
rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
rthdr->hdr.it_present =
next prev parent reply other threads:[~2008-05-01 9:43 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-01 2:02 mac80211 truesize bugs Johannes Berg
2008-05-01 2:02 ` Johannes Berg
2008-05-01 8:58 ` Michael Buesch
2008-05-01 8:58 ` Michael Buesch
2008-05-01 9:08 ` Johannes Berg
2008-05-01 9:20 ` David Miller
2008-05-01 9:20 ` David Miller
2008-05-01 9:32 ` Johannes Berg
2008-05-01 9:43 ` David Miller [this message]
2008-05-01 9:43 ` David Miller
2008-05-01 9:48 ` Johannes Berg
2008-05-01 9:48 ` Johannes Berg
2008-05-01 9:56 ` David Miller
2008-05-01 10:08 ` Johannes Berg
2008-05-01 10:08 ` Johannes Berg
2008-05-01 10:32 ` David Miller
2008-05-01 10:45 ` Johannes Berg
2008-05-01 10:45 ` Johannes Berg
2008-05-01 10:36 ` Herbert Xu
2008-05-01 10:36 ` Herbert Xu
2008-05-01 10:49 ` David Miller
2008-05-01 10:53 ` David Miller
2008-05-01 10:58 ` Johannes Berg
2008-05-01 11:03 ` Herbert Xu
2008-05-01 11:03 ` Herbert Xu
2008-05-02 20:38 ` Johannes Berg
2008-05-02 23:33 ` David Miller
2008-05-02 23:33 ` David Miller
2008-05-03 9:37 ` Johannes Berg
2008-05-03 14:25 ` Johannes Berg
2008-05-13 3:17 ` David Miller
2008-05-13 20:39 ` John W. Linville
2008-05-13 20:39 ` John W. Linville
2008-05-13 20:59 ` Johannes Berg
2008-05-13 21:12 ` Tomas Winkler
2008-05-13 21:37 ` Johannes Berg
2008-05-13 22:09 ` David Miller
2008-05-13 22:09 ` David Miller
2008-05-03 11:52 ` Johannes Berg
2008-05-04 1:03 ` David Miller
2008-05-04 1:03 ` David Miller
2008-05-04 1:42 ` Johannes Berg
2008-05-04 1:42 ` Johannes Berg
2008-05-04 2:02 ` Herbert Xu
2008-05-04 2:02 ` Herbert Xu
2008-05-04 2:08 ` Johannes Berg
2008-05-04 2:08 ` Johannes Berg
2008-05-04 2:12 ` Herbert Xu
2008-05-04 2:12 ` Herbert Xu
2008-05-04 2:22 ` Johannes Berg
2008-05-04 2:22 ` Johannes Berg
2008-05-04 3:16 ` Herbert Xu
2008-05-04 3:16 ` Herbert Xu
2008-05-04 8:47 ` Johannes Berg
2008-05-04 8:47 ` Johannes Berg
2008-05-04 9:14 ` Johannes Berg
2008-05-04 9:14 ` Johannes Berg
2008-05-04 9:44 ` Herbert Xu
2008-05-04 9:44 ` Herbert Xu
2008-05-04 9:52 ` Johannes Berg
2008-05-04 11:25 ` Johannes Berg
2008-05-04 12:28 ` Johannes Berg
2008-05-04 12:28 ` Johannes Berg
2008-05-04 12:45 ` Herbert Xu
2008-05-04 12:48 ` Johannes Berg
2008-05-04 12:48 ` Johannes Berg
2008-05-04 12:52 ` Johannes Berg
2008-05-04 12:52 ` Johannes Berg
2008-05-04 12:56 ` Herbert Xu
2008-05-04 12:56 ` Herbert Xu
2008-05-04 13:00 ` Johannes Berg
2008-05-04 13:00 ` Johannes Berg
2008-05-04 14:06 ` Johannes Berg
2008-05-04 14:06 ` Johannes Berg
2008-05-04 16:03 ` Johannes Berg
2008-05-04 16:03 ` Johannes Berg
2008-05-04 17:47 ` Johannes Berg
2008-05-04 17:47 ` Johannes Berg
2008-05-04 22:45 ` David Miller
2008-05-04 22:45 ` David Miller
2008-05-04 22:48 ` Johannes Berg
2008-05-04 22:48 ` Johannes Berg
2008-05-04 22:38 ` David Miller
2008-05-04 2:09 ` Johannes Berg
2008-05-04 2:09 ` Johannes Berg
2008-05-03 12:38 ` Johannes Berg
2008-05-03 12:38 ` Johannes Berg
2008-05-03 12:59 ` Herbert Xu
2008-05-03 16:03 ` Johannes Berg
2008-05-03 16:03 ` Johannes Berg
2008-05-03 22:56 ` Johannes Berg
2008-05-03 22:56 ` Johannes Berg
2008-05-03 23:07 ` David Miller
2008-05-03 23:07 ` David Miller
2008-05-03 23:15 ` Johannes Berg
2008-05-03 23:15 ` Johannes Berg
2008-05-01 11:02 ` Herbert Xu
2008-05-01 11:02 ` Herbert Xu
2008-05-01 11:38 ` Johannes Berg
2008-05-01 11:38 ` Johannes Berg
2008-05-03 23:24 ` Johannes Berg
2008-05-03 23:24 ` Johannes Berg
2008-05-03 23:32 ` David Miller
2008-05-03 23:32 ` David Miller
2008-05-03 23:43 ` Johannes Berg
2008-05-03 23:43 ` Johannes Berg
2008-05-01 11:49 ` Johannes Berg
2008-05-01 11:49 ` Johannes Berg
2008-05-01 12:05 ` Johannes Berg
2008-05-01 9:32 ` Michael Buesch
2008-05-01 9:32 ` Michael Buesch
2008-05-01 9:34 ` Johannes Berg
2008-05-01 9:34 ` Johannes Berg
2008-05-04 1:55 ` frame status API? (was: mac80211 truesize bugs) Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080501.024320.212547875.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=mb@bu3sch.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.