Re: net: GPF in netlink_getsockbyportid

From: Florian Westphal
Date: Sat Jan 23 2016 - 19:11:32 EST

Next message: Kieran Bingham: "Re: [PATCH 1/5] scripts/gdb: Provide linux constants"
Previous message: Kui Zhang: "connection failure after "tcp: remove max_qlen_log""
In reply to: Daniel Borkmann: "Re: net: GPF in netlink_getsockbyportid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
> On 01/23/2016 08:25 PM, Florian Westphal wrote:
> >Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> >
> >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
> >
> >>The following program causes GPF in netlink_getsockbyportid:
[..]

> >CONFIG_NETLINK_MMAP and nfnetlink batching strike in unison :-/
> >
> >root cause is in nfnetlink_rcv_batch():
> >
> >296 replay:
> >297 status = 0;
> >298
> >299 skb = netlink_skb_clone(oskb, GFP_KERNEL);
> >
> >The clone op doesn't copy oskb->sk, so we oops in
> >__netlink_alloc_skb -> netlink_getsockbyportid() when nfnetlink_rcv_batch
> >tries to send netlink ack.
>
> If indeed oskb is the mmap'ed netlink skb, then it's not even allowed
> to call into skb_clone()

Right, but in this case there is no mmap'd netlink sk involved -- we
crash when we try to look up dst netlink socket to see if there is an
mmap'd ring attached.

[ and that code isn't there with CONFIG_NETLINK_MMAP=n ].

Next message: Kieran Bingham: "Re: [PATCH 1/5] scripts/gdb: Provide linux constants"
Previous message: Kui Zhang: "connection failure after "tcp: remove max_qlen_log""
In reply to: Daniel Borkmann: "Re: net: GPF in netlink_getsockbyportid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]