From: Eric Dumazet <eric.dumazet@gmail.com>
To: Pavel Emelyanov <xemul@openvz.org>
Cc: Igor M Podlesny <for.poige+bugzilla.kernel.org@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
bugzilla-daemon@bugzilla.kernel.org,
bugme-daemon@bugzilla.kernel.org, netdev@vger.kernel.org,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH] net: net_assign_generic() fix
Date: Tue, 28 Jul 2009 14:36:15 +0200 [thread overview]
Message-ID: <4A6EF0BF.2050801@gmail.com> (raw)
In-Reply-To: <4A6EEF69.1050001@cosmosbay.com>
Eric Dumazet a écrit :
> Pavel Emelyanov a écrit :
>> Eric Dumazet wrote:
>>> Igor M Podlesny a écrit :
>>>> [...]
>>>>> Could have been a problem in net core, perhaps.
>>>>>
>>>>> Below is a ppp fix from 2.6.31, but it seems unlikely to fix your problem.
>>>>>
>>>>> It would help if we could see that trace, please. A digital photo
>>>>> would suit.
>>>> Here it is:
>>>>
>>>> http://bugzilla.kernel.org/attachment.cgi?id=22516
>>>>
>>>> (It's 2.6.30.3)
>>>>
>>> Looking at this, I believe net_assign_generic() is not safe.
>>>
>>> Two cpus could try to expand/update the array at same time, one update could be lost.
>>>
>>> register_pernet_gen_device() has a mutex to guard against concurrent
>>> calls, but net_assign_generic() has no locking at all.
>>>
>>> I doubt this is the reason of the crash, still worth to mention it...
>>>
>>> [PATCH] net: net_assign_generic() is not SMP safe
>>>
>>> Two cpus could try to expand/update the array at same time, one update
>>> could be lost during the copy of old array.
>> How can this happen? The array is updated only during ->init routines
>> of the pernet_operations, which are called from under the net_mutex.
>>
>> Do I miss anything?
>>
>
> Oops, I missed the obvious "BUG_ON(!mutex_is_locked(&net_mutex));"
>
> Sorry for the noise and untested patch as well :)
>
Hmm...
Real bug may be fixed by followed patch ? (yet untested, sorry...)
[PATCH] net: net_assign_generic() fix
memcpy() should take into account size of pointers,
not only number of pointers to copy.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index b7292a2..1972830 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -488,7 +488,7 @@ int net_assign_generic(struct net *net, int id, void *data)
*/
ng->len = id;
- memcpy(&ng->ptr, &old_ng->ptr, old_ng->len);
+ memcpy(&ng->ptr, &old_ng->ptr, old_ng->len * sizeof(void*));
rcu_assign_pointer(net->gen, ng);
call_rcu(&old_ng->rcu, net_generic_release);
next prev parent reply other threads:[~2009-07-28 12:36 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-13760-10286@http.bugzilla.kernel.org/>
2009-07-22 20:45 ` [Bugme-new] [Bug 13760] New: 2.6.30 kernel locks up with pppoe in back trace (regression) Andrew Morton
2009-07-23 6:39 ` Igor M Podlesny
2009-07-23 7:01 ` Andrew Morton
2009-07-23 16:15 ` David Miller
2009-07-23 17:51 ` Andrew Morton
2009-07-23 17:53 ` David Miller
2009-07-23 19:11 ` Jarek Poplawski
2009-07-25 3:33 ` Herbert Xu
2009-07-25 4:41 ` Igor M Podlesny
2009-07-28 6:40 ` Igor M Podlesny
2009-07-28 8:44 ` Eric Dumazet
2009-07-28 9:51 ` Pavel Emelyanov
2009-07-28 12:30 ` Eric Dumazet
2009-07-28 12:36 ` Eric Dumazet [this message]
2009-07-28 13:03 ` [PATCH] net: net_assign_generic() fix Pavel Emelyanov
2009-07-28 13:16 ` Eric Dumazet
2009-07-28 13:22 ` Eric Dumazet
2009-07-28 13:47 ` [PATCH] pppol2tp: calls unregister_pernet_gen_device() at unload time Eric Dumazet
2009-07-28 14:29 ` Cyrill Gorcunov
2009-07-28 17:46 ` [PATCH] pppoe: fix race at init time Eric Dumazet
2009-07-28 18:48 ` Cyrill Gorcunov
2009-07-29 3:55 ` Igor M Podlesny
2009-07-29 4:33 ` Eric Dumazet
2009-07-29 14:46 ` Cyrill Gorcunov
2009-08-12 23:40 ` David Miller
2009-08-14 16:42 ` Cyrill Gorcunov
2009-07-29 9:43 ` [PATCH] pppoe: fix /proc/net/pppoe Eric Dumazet
2009-07-30 21:19 ` David Miller
2009-08-02 19:28 ` [PATCH] pppol2tp: calls unregister_pernet_gen_device() at unload time David Miller
2009-08-02 19:27 ` [PATCH] net: net_assign_generic() fix David Miller
2009-07-23 16:14 ` [Bugme-new] [Bug 13760] New: 2.6.30 kernel locks up with pppoe in back trace (regression) David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A6EF0BF.2050801@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=davem@davemloft.net \
--cc=for.poige+bugzilla.kernel.org@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).