From: David Miller <davem@davemloft.net>
To: rdenis@simphalempin.com
Cc: johnpol@2ka.mipt.ru, akpm@linux-foundation.org,
netdev@vger.kernel.org, bugme-daemon@bugzilla.kernel.org
Subject: Re: [Bugme-new] [Bug 11469] New: TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash
Date: Mon, 08 Sep 2008 13:15:47 -0700 (PDT) [thread overview]
Message-ID: <20080908.131547.26037628.davem@davemloft.net> (raw)
In-Reply-To: <200809072119.50307.rdenis@simphalempin.com>
From: Rémi Denis-Courmont <rdenis@simphalempin.com>
Date: Sun, 7 Sep 2008 21:19:49 +0300
> Le dimanche 7 septembre 2008 21:11:09 Evgeniy Polyakov, vous avez écrit :
> > Since dst entry is allowed not to have neighbour entry, flush it just
> > like with incomplete one. This drops performance of your application
> > with more than 1024 neighbours to 1024 messages, to fix it you should
> > tune ipv6 routing parameters (gc intervals, gc threshold, maximum number
> > of entries and so on). There may be another problem with perfomance
> > though, at least I was able to bump it 10 times with different settings,
> > but still two times smaller than with 4k neighbours.
>
> That looks like a trivial local DoS against the IPv6 stack though?
>
> Especially in the case that the interface has IFF_NOARP, that seems like a
> weird limitation. Oh well...
It's less of a DoS than the NULL pointer deref we get now, isn't it? :-)
But I don't like this patch for several reasons:
1) Slapping on a NULL check in response to a OOPS at that exact
location is usually a very big red flag, and deserves high scrutiny
instead of blind acceptance.
2) Looking at the indentation of this DAD code block (it's all one tab
too much) it's obviously a very shitty cut and paste job. If the
coding style was too difficult to get right, what does this say
about that change that brought the code here, semantically? :-/
This means we should figure out how this code got to this place,
and what kind of invariants existed at the old location that might
make this dst->neighbour dereference valid, and what implications
there are for the fact that it can now be NULL.
Really, we really need to understand much more deeply this situation.
next prev parent reply other threads:[~2008-09-08 20:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-11469-10286@http.bugzilla.kernel.org/>
2008-08-31 18:13 ` [Bugme-new] [Bug 11469] New: TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash Andrew Morton
2008-09-05 11:41 ` Evgeniy Polyakov
2008-09-05 16:03 ` Rémi Denis-Courmont
2008-09-05 16:37 ` Evgeniy Polyakov
2008-09-07 18:11 ` Evgeniy Polyakov
2008-09-07 18:19 ` Rémi Denis-Courmont
2008-09-08 20:15 ` David Miller [this message]
2008-09-08 20:34 ` Evgeniy Polyakov
2008-09-09 10:56 ` Neil Horman
2008-09-09 11:32 ` Neil Horman
2008-09-09 14:31 ` Evgeniy Polyakov
2008-09-09 15:39 ` Neil Horman
2008-09-09 20:52 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080908.131547.26037628.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=johnpol@2ka.mipt.ru \
--cc=netdev@vger.kernel.org \
--cc=rdenis@simphalempin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).