From: David Miller <davem@davemloft.net>
To: johannes@sipsolutions.net
Cc: mb@bu3sch.de, netdev@vger.kernel.org, linux-wireless@vger.kernel.org
Subject: Re: mac80211 truesize bugs
Date: Thu, 01 May 2008 02:43:20 -0700 (PDT) [thread overview]
Message-ID: <20080501.024320.212547875.davem@davemloft.net> (raw)
In-Reply-To: <1209634349.4008.15.camel@johannes.berg>
From: Johannes Berg <johannes@sipsolutions.net>
Date: Thu, 01 May 2008 11:32:29 +0200
> On Thu, 2008-05-01 at 02:20 -0700, David Miller wrote:
> > From: Johannes Berg <johannes@sipsolutions.net>
> > Date: Thu, 01 May 2008 11:08:06 +0200
> >
> > > > Seems the skb->destructor messes it up.
> > >
> > > Actually, it seems to be outside of mac80211, I put in a WARN_ON() and
> > > got this:
> >
> > You're just seeing who freed it last here.
> >
> > It could have had it's ->truesize put into an illegal state
> > elsewhere.
>
> Yes, I know, but it doesn't come from my skb_orphan() call. Hence, I
> just netif_rx() the packet which makes it go onto the input_pkt_queue
> and then to netif_receive_skb() which gives it to af_packet and all
> others should ignore it since I set PACKET_OTHERHOST.
I looked at the mac80211 code, the problem is the skb_push() you
guys do in this situation.
Things like loopback, which also orphan then reinject, don't trigger
this problem because the re-input path trims things, never adds.
The good news is that this is easy to fix.
Since you've orphaned the SKB, simply adjust skb->truesize as you
do pushes. Like this:
mac80211: Adjust truesize in ieee80211_tx_status() when reinjecting.
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 9ad4e36..de2e904 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1485,6 +1485,9 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
rthdr = (struct ieee80211_tx_status_rtap_hdr*)
skb_push(skb, sizeof(*rthdr));
+ /* This is safe because the buffer has been orphaned. */
+ skb->truesize += sizeof(*rthdr);
+
memset(rthdr, 0, sizeof(*rthdr));
rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
rthdr->hdr.it_present =
next prev parent reply other threads:[~2008-05-01 9:43 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-01 2:02 mac80211 truesize bugs Johannes Berg
[not found] ` <1209607368.7173.20.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-01 8:58 ` Michael Buesch
2008-05-01 9:08 ` Johannes Berg
[not found] ` <1209632886.4008.8.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-01 9:20 ` David Miller
2008-05-01 9:32 ` Johannes Berg
2008-05-01 9:43 ` David Miller [this message]
[not found] ` <20080501.024320.212547875.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-01 9:48 ` Johannes Berg
2008-05-01 9:56 ` David Miller
[not found] ` <20080501.025635.216053297.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-01 10:08 ` Johannes Berg
2008-05-01 10:32 ` David Miller
[not found] ` <20080501.033221.193705040.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-01 10:45 ` Johannes Berg
2008-05-01 10:36 ` Herbert Xu
2008-05-01 10:49 ` David Miller
2008-05-01 10:53 ` David Miller
2008-05-01 10:58 ` Johannes Berg
[not found] ` <1209639500.7067.0.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-01 11:03 ` Herbert Xu
2008-05-02 20:38 ` Johannes Berg
[not found] ` <1209760731.3608.17.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-02 23:33 ` David Miller
2008-05-03 9:37 ` Johannes Berg
2008-05-03 14:25 ` Johannes Berg
2008-05-13 3:17 ` David Miller
[not found] ` <20080512.201751.114868351.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-13 20:39 ` John W. Linville
2008-05-13 20:59 ` Johannes Berg
2008-05-13 21:12 ` Tomas Winkler
2008-05-13 21:37 ` Johannes Berg
[not found] ` <1210714643.4279.27.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-13 22:09 ` David Miller
2008-05-03 11:52 ` Johannes Berg
[not found] ` <1209815533.3987.21.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 1:03 ` David Miller
[not found] ` <20080503.180300.10562559.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-04 1:42 ` Johannes Berg
[not found] ` <1209865354.6210.23.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 2:02 ` Herbert Xu
[not found] ` <20080504020203.GA30514-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2008-05-04 2:08 ` Johannes Berg
[not found] ` <1209866916.6210.39.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 2:12 ` Herbert Xu
[not found] ` <20080504021213.GA30660-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2008-05-04 2:22 ` Johannes Berg
[not found] ` <1209867740.6210.46.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 3:16 ` Herbert Xu
[not found] ` <20080504031652.GA30993-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2008-05-04 8:47 ` Johannes Berg
[not found] ` <1209890847.6210.51.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 9:14 ` Johannes Berg
[not found] ` <1209892489.6210.56.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 9:44 ` Herbert Xu
2008-05-04 9:52 ` Johannes Berg
2008-05-04 11:25 ` Johannes Berg
[not found] ` <1209900355.6210.64.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 12:28 ` Johannes Berg
2008-05-04 12:45 ` Herbert Xu
[not found] ` <20080504124542.GA1455-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2008-05-04 12:48 ` Johannes Berg
2008-05-04 12:52 ` Johannes Berg
[not found] ` <1209905561.4065.23.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 12:56 ` Herbert Xu
[not found] ` <20080504125652.GA1618-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2008-05-04 13:00 ` Johannes Berg
2008-05-04 14:06 ` Johannes Berg
[not found] ` <1209909990.3753.0.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 16:03 ` Johannes Berg
[not found] ` <1209917006.3753.2.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-04 17:47 ` Johannes Berg
2008-05-04 22:45 ` David Miller
[not found] ` <20080504.154540.214129591.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-04 22:48 ` Johannes Berg
2008-05-04 22:38 ` David Miller
2008-05-04 2:09 ` Johannes Berg
[not found] ` <20080501110341.GD7490-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2008-05-03 12:38 ` Johannes Berg
2008-05-03 12:59 ` Herbert Xu
[not found] ` <20080503125940.GA26199-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2008-05-03 16:03 ` Johannes Berg
[not found] ` <1209830582.3673.8.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-03 22:56 ` Johannes Berg
2008-05-03 23:07 ` David Miller
[not found] ` <20080503.160705.78111001.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-03 23:15 ` Johannes Berg
[not found] ` <20080501.034950.261408566.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-01 11:02 ` Herbert Xu
2008-05-01 11:38 ` Johannes Berg
[not found] ` <1209641914.3904.0.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-03 23:24 ` Johannes Berg
[not found] ` <1209857088.3920.4.camel-YfaajirXv214zXjbi5bjpg@public.gmane.org>
2008-05-03 23:32 ` David Miller
[not found] ` <20080503.163202.48704621.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2008-05-03 23:43 ` Johannes Berg
2008-05-01 11:49 ` Johannes Berg
2008-05-01 12:05 ` Johannes Berg
2008-05-01 9:32 ` Michael Buesch
[not found] ` <200805011132.24399.mb-fseUSCV1ubazQB+pC5nmwQ@public.gmane.org>
2008-05-01 9:34 ` Johannes Berg
2008-05-04 1:55 ` frame status API? (was: mac80211 truesize bugs) Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080501.024320.212547875.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=mb@bu3sch.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).