* [PATCH] af_packet: tpacket_destruct_skb, deref skb after BUG_ON assertion
@ 2011-10-09 15:19 danborkmann
2011-10-09 20:57 ` Eric Dumazet
0 siblings, 1 reply; 4+ messages in thread
From: danborkmann @ 2011-10-09 15:19 UTC (permalink / raw)
To: David S. Miller, netdev
This tiny patch derefs the skb only after BUG_ON(skb==NULL) was evaluated
and not before. Patched against latest Linus tree.
Thanks,
Daniel
Signed-off-by: Daniel Borkmann <danborkmann@iogearbox.net>
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index fabb4fa..d9d833b 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1167,11 +1167,12 @@ ring_is_full:
static void tpacket_destruct_skb(struct sk_buff *skb)
{
- struct packet_sock *po = pkt_sk(skb->sk);
+ struct packet_sock *po;
void *ph;
BUG_ON(skb == NULL);
+ po = pkt_sk(skb->sk);
if (likely(po->tx_ring.pg_vec)) {
ph = skb_shinfo(skb)->destructor_arg;
BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] af_packet: tpacket_destruct_skb, deref skb after BUG_ON assertion
2011-10-09 15:19 [PATCH] af_packet: tpacket_destruct_skb, deref skb after BUG_ON assertion danborkmann
@ 2011-10-09 20:57 ` Eric Dumazet
2011-10-10 8:02 ` danborkmann
0 siblings, 1 reply; 4+ messages in thread
From: Eric Dumazet @ 2011-10-09 20:57 UTC (permalink / raw)
To: danborkmann; +Cc: David S. Miller, netdev
Le dimanche 09 octobre 2011 à 17:19 +0200, danborkmann@iogearbox.net a
écrit :
> This tiny patch derefs the skb only after BUG_ON(skb==NULL) was evaluated
> and not before. Patched against latest Linus tree.
>
> Thanks,
> Daniel
>
> Signed-off-by: Daniel Borkmann <danborkmann@iogearbox.net>
>
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index fabb4fa..d9d833b 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -1167,11 +1167,12 @@ ring_is_full:
>
> static void tpacket_destruct_skb(struct sk_buff *skb)
> {
> - struct packet_sock *po = pkt_sk(skb->sk);
> + struct packet_sock *po;
> void *ph;
>
> BUG_ON(skb == NULL);
>
> + po = pkt_sk(skb->sk);
> if (likely(po->tx_ring.pg_vec)) {
> ph = skb_shinfo(skb)->destructor_arg;
> BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
>
>
Well, to be honest, this BUG_ON(!skb) is absolutely useless for two
reasons.
1) If skb happens to be NULL, the NULL dereference is trapped and stack
trace dumped as well.
2) Of course, tpacket_destruct_skb() being an skb destructor, skb cannot
be NULL at this point by design.
Please remove the BUG_ON() instead of trying to move it ;)
Thanks
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] af_packet: tpacket_destruct_skb, deref skb after BUG_ON assertion
2011-10-09 20:57 ` Eric Dumazet
@ 2011-10-10 8:02 ` danborkmann
2011-10-10 16:06 ` Eric Dumazet
0 siblings, 1 reply; 4+ messages in thread
From: danborkmann @ 2011-10-10 8:02 UTC (permalink / raw)
To: Eric Dumazet; +Cc: David S. Miller, netdev
Hi Eric,
Quoting Eric Dumazet <eric.dumazet@gmail.com>:
> Le dimanche 09 octobre 2011 à 17:19 +0200, danborkmann@iogearbox.net a
> écrit :
>> This tiny patch derefs the skb only after BUG_ON(skb==NULL) was evaluated
>> and not before. Patched against latest Linus tree.
>>
>> Thanks,
>> Daniel
>>
>> Signed-off-by: Daniel Borkmann <danborkmann@iogearbox.net>
>>
>> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
>> index fabb4fa..d9d833b 100644
>> --- a/net/packet/af_packet.c
>> +++ b/net/packet/af_packet.c
>> @@ -1167,11 +1167,12 @@ ring_is_full:
>>
>> static void tpacket_destruct_skb(struct sk_buff *skb)
>> {
>> - struct packet_sock *po = pkt_sk(skb->sk);
>> + struct packet_sock *po;
>> void *ph;
>>
>> BUG_ON(skb == NULL);
>>
>> + po = pkt_sk(skb->sk);
>> if (likely(po->tx_ring.pg_vec)) {
>> ph = skb_shinfo(skb)->destructor_arg;
>> BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
>>
>>
>
> Well, to be honest, this BUG_ON(!skb) is absolutely useless for two
> reasons.
>
> 1) If skb happens to be NULL, the NULL dereference is trapped and stack
> trace dumped as well.
>
> 2) Of course, tpacket_destruct_skb() being an skb destructor, skb cannot
> be NULL at this point by design.
>
> Please remove the BUG_ON() instead of trying to move it ;)
Thanks, you're absolutely right! Here's the trivial patch:
af_packet: removed unnecessary BUG_ON assertion in tpacket_destruct_skb
If skb is NULL, then stack trace is thrown on anyway on dereference.
Therefore,
the stack trace triggered by BUG_ON is duplicate.
Signed-off-by: Daniel Borkmann <danborkmann@googlemail.com>
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index fabb4fa..886ae50 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1170,8 +1170,6 @@ static void tpacket_destruct_skb(struct sk_buff *skb)
struct packet_sock *po = pkt_sk(skb->sk);
void *ph;
- BUG_ON(skb == NULL);
-
if (likely(po->tx_ring.pg_vec)) {
ph = skb_shinfo(skb)->destructor_arg;
BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] af_packet: tpacket_destruct_skb, deref skb after BUG_ON assertion
2011-10-10 8:02 ` danborkmann
@ 2011-10-10 16:06 ` Eric Dumazet
0 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2011-10-10 16:06 UTC (permalink / raw)
To: danborkmann; +Cc: David S. Miller, netdev
Le lundi 10 octobre 2011 à 10:02 +0200, danborkmann@iogearbox.net a
écrit :
> Thanks, you're absolutely right! Here's the trivial patch:
>
> af_packet: removed unnecessary BUG_ON assertion in tpacket_destruct_skb
>
OK but a proper title should be
[PATCH] af_packet: remove unnecessary BUG_ON() in tpacket_destruct_skb
> If skb is NULL, then stack trace is thrown on anyway on dereference.
> Therefore,
> the stack trace triggered by BUG_ON is duplicate.
>
> Signed-off-by: Daniel Borkmann <danborkmann@googlemail.com>
>
missing "---" separator
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index fabb4fa..886ae50 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -1170,8 +1170,6 @@ static void tpacket_destruct_skb(struct sk_buff *skb)
> struct packet_sock *po = pkt_sk(skb->sk);
> void *ph;
>
> - BUG_ON(skb == NULL);
> -
> if (likely(po->tx_ring.pg_vec)) {
> ph = skb_shinfo(skb)->destructor_arg;
> BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
>
>
Please send a complete new mail without any history.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-10-10 16:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-09 15:19 [PATCH] af_packet: tpacket_destruct_skb, deref skb after BUG_ON assertion danborkmann
2011-10-09 20:57 ` Eric Dumazet
2011-10-10 8:02 ` danborkmann
2011-10-10 16:06 ` Eric Dumazet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox