[patch] bug prematurely setting nr_frags

[patch] bug prematurely setting nr_frags

[Benjamin LaHaise]

Hello Dave et al,

The patch below fixes a case where nr_frags will be incorrectly set when an 
allocation fails in sock_alloc_send_pskb.  This bug was found while trying 
to track down a problem that shows up as an oops attempting to free a page 
that comes from an uninitialized fragment entry in an skb, and this problem 
looks like a possible causes.  Thanks goes to Stephen Tweedie for digging 
through the crash dump to find several key bits of data.

		-ben
-- 
"You will be reincarnated as a toad; and you will be much happier."

:r ~/patches/v2.4/v2.4.20-pre1-nr_frags.diff
diff -urN v2.4.20-pre1/net/core/sock.c net-2.4.20-pre1/net/core/sock.c
--- v2.4.20-pre1/net/core/sock.c	Fri Aug  9 13:50:46 2002
+++ net-2.4.20-pre1/net/core/sock.c	Fri Aug  9 15:46:46 2002
@@ -785,7 +785,6 @@
 
 				npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
 				skb->truesize += data_len;
-				skb_shinfo(skb)->nr_frags = npages;
 				for (i = 0; i < npages; i++) {
 					struct page *page;
 					skb_frag_t *frag;
@@ -804,6 +803,9 @@
 						      PAGE_SIZE :
 						      data_len);
 					data_len -= PAGE_SIZE;
+
+					/* frag[i] is now initialized */
+					skb_shinfo(skb)->nr_frags = i + 1;
 				}
 
 				/* Full success... */

Re: [patch] bug prematurely setting nr_frags

[kuznet]

Hello!

> that comes from an uninitialized fragment entry in an skb, and this problem 
> looks like a possible causes.

This function is not used, by the way.

Alexey

Re: [patch] bug prematurely setting nr_frags

[Benjamin LaHaise]

On Mon, Aug 12, 2002 at 01:07:33AM +0400, kuznet@ms2.inr.ac.ru wrote:
> Hello!
> 
> > that comes from an uninitialized fragment entry in an skb, and this problem 
> > looks like a possible causes.
> 
> This function is not used, by the way.

Huh?  It's called from sock_alloc_send_skb, which is called from all 
over the stack.

		-ben
-- 
"You will be reincarnated as a toad; and you will be much happier."

Re: [patch] bug prematurely setting nr_frags

[kuznet]

Hello!

> Huh?  It's called from sock_alloc_send_skb, which is called from all 
> over the stack.

It is used with data_len==0. The branch generating fragments is dead.

Alexey

Re: [patch] bug prematurely setting nr_frags

[Benjamin LaHaise]

On Tue, Aug 13, 2002 at 08:06:13AM +0400, kuznet@ms2.inr.ac.ru wrote:
> Hello!
> 
> > Huh?  It's called from sock_alloc_send_skb, which is called from all 
> > over the stack.
> 
> It is used with data_len==0. The branch generating fragments is dead.

Ah, I see.  Care for a patch to remove it altogether then?  As for the 
bug, does anyone else see a place where nr_frags can be set without 
initializing a page pointer?  Otherwise it looks like a random memory 
corruption... what fun.

		-ben
-- 
"You will be reincarnated as a toad; and you will be much happier."

Re: [patch] bug prematurely setting nr_frags

[kuznet]

Hello!

> Ah, I see.  Care for a patch to remove it altogether then?

Well, someone wrote it for some purpose. :-) 


>							  As for the 
> bug, does anyone else see a place where nr_frags can be set without 
> initializing a page pointer? 

No. When does this happen?


> Otherwise it looks like a random memory corruption... what fun.

Well, even if this is corruption, it is unlikely to be random.
This maybe write beyond end of an skb, corrupting skb_shared_info.
At least, we had such place in netfilter fixed some time ago.

Alexey