From: Steffen Klassert <steffen.klassert@secunet.com>
To: Michal Kubecek <mkubecek@suse.cz>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org
Subject: Re: [PATCH ipsec] xfrm: prevent ipcomp scratch buffer race condition
Date: Tue, 15 Oct 2013 10:33:48 +0200 [thread overview]
Message-ID: <20131015083348.GW7660@secunet.com> (raw)
In-Reply-To: <20131014160334.BCCDDE8A31@unicorn.suse.cz>
On Mon, Oct 14, 2013 at 06:03:34PM +0200, Michal Kubecek wrote:
> In ipcomp_compress(), sortirq is enabled too early, allowing the
> per-cpu scratch buffer to be rewritten by ipcomp_decompress()
> (called on the same CPU in softirq context) between populating
> the buffer and copying the compressed data to the skb.
>
> Add similar protection into ipcomp_decompress() as it can be
> called from process context as well (even if such scenario seems
> a bit artificial).
>
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> ---
> net/xfrm/xfrm_ipcomp.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
> index 2906d52..96946fb 100644
> --- a/net/xfrm/xfrm_ipcomp.c
> +++ b/net/xfrm/xfrm_ipcomp.c
> @@ -48,9 +48,11 @@ static int ipcomp_decompress(struct xfrm_state *x, struct sk_buff *skb)
> const int cpu = get_cpu();
> u8 *scratch = *per_cpu_ptr(ipcomp_scratches, cpu);
> struct crypto_comp *tfm = *per_cpu_ptr(ipcd->tfms, cpu);
> - int err = crypto_comp_decompress(tfm, start, plen, scratch, &dlen);
> + int err;
> int len;
>
> + local_bh_disable();
Maybe we could disable the BHs before we fetch the percpu pointers.
Then we can use smp_processor_id() to get the cpu. With that we
could get rid of a (now useless) preempt_disable()/preempt_enable()
pair. Same could be done in ipcomp_compress().
Looks ok otherwise. Thanks!
next prev parent reply other threads:[~2013-10-15 8:33 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-14 16:03 [PATCH ipsec] xfrm: prevent ipcomp scratch buffer race condition Michal Kubecek
2013-10-15 8:33 ` Steffen Klassert [this message]
2013-10-15 8:59 ` Fan Du
2013-10-15 9:46 ` Steffen Klassert
2013-10-15 20:55 ` Michal Kubecek
2013-10-15 21:40 ` [PATCH ipsec v2] " Michal Kubecek
2013-10-15 22:44 ` Eric Dumazet
2013-10-16 12:32 ` [PATCH ipsec] " Herbert Xu
2013-10-17 9:55 ` Steffen Klassert
2013-10-17 13:07 ` [PATCH ipsec v3] " Michal Kubecek
2013-10-17 13:38 ` Eric Dumazet
2013-10-17 13:39 ` Herbert Xu
2013-10-18 9:25 ` Steffen Klassert
2013-10-18 10:54 ` [PATCH ipsec-next] xfrm: use vmalloc_node() for percpu scratches Eric Dumazet
2013-10-18 12:46 ` Herbert Xu
2013-10-21 14:48 ` Steffen Klassert
2013-10-17 11:01 ` [PATCH ipsec] xfrm: prevent ipcomp scratch buffer race condition Michal Kubecek
2013-10-17 11:04 ` Herbert Xu
2013-10-17 13:13 ` Michal Kubecek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131015083348.GW7660@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=mkubecek@suse.cz \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.