Re: [PATCH] net_device refcnt bug when NFQUEUEing bridged packets

view
thread

!MAILaRCHIVE_VOTE_RePLACE

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Stephen Hemminger <shemminger@...>

To: Jan Christoph Nordholz <hesso@...>

Cc: <kaber@...>, <linux-kernel@...>

Subject: Re: [PATCH] net_device refcnt bug when NFQUEUEing bridged packets

Date: Tuesday, January 15, 2008 - 7:11 pm

On Wed, 16 Jan 2008 00:05:44 +0100
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> wrote:

quoted text> Hi,
> 
> I came across the following bug a few weeks ago (which still applies to
> 2.6.24-rc7):
> 
> Packets that are to be sent out over a bridge device are skb_clone()d in
> br_loop() before traversing the appropriate (FORWARD/OUTPUT) NF chain. 
> The copies made by skb_clone() share their nf_bridge metadata with the
> original, which is no problem usually.
> If however one or more packets of a br_loop() run end up in a NFQUEUE,
> their shared nf_bridge metadata causes trouble when they are about to be
> reinjected: nf_reinject() decrements the net_device refcounts that were
> previously upped when queueing the packet in __nf_queue(), but as
> skb->nf_bridge->physoutdev points to the same device for all these
> packets, most (if not all) of them will affect the wrong refcnt.
> 
> (I originally encountered the bug on a Xen host because the hypervisor
> refused to shutdown a virtual device with non-zero refcount... but it is
> perfectly reproducible with a standard kernel, too, although it was a
> bit more tedious to create a test scenario, involving a couple of UMLs.)
> 
> I'd suggest to make a real copy of the nf_bridge member in br_loop() if
> CONFIG_BRIDGE_NETFILTER is defined - I've attached a patch that illus-
> trates how to fix the bug (and the machine I've found the bug on is
> running a kernel with this patch since weeks and has not had any
> refcount anomalies since), but I admit it is ugly, returning the reference
> acquired by __nf_copy() and then copying manually...
> 
> Please tell me where that logic should really go (skbuff.h? br_netfilter.c?)
> so I can wrap up a final and CodingStyle-conformant version, or feel free
> to simply apply a modified version.
> 
> 
> Regards,
> 
> Jan
> 
>

Please submit a bug to kernel bugzilla.  Not sure that the patch is the
proper way to fix this.

-- 
Stephen Hemminger <stephen.hemminger@vyatta.com>
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] net_device refcnt bug when NFQUEUEing bridged packets, Jan Christoph Nordholz, (Tue Jan 15, 7:05 pm)

Re: [PATCH] net_device refcnt bug when NFQUEUEing bridged pa..., Stephen Hemminger, (Tue Jan 15, 7:11 pm)

Navigation

Popular discussions


linux-kernel:
Andy Whitcroft	clam
Jon Smirl	Re: 463 kernel developers missing!
Trent Piepho	[PATCH] [POWERPC] Improve (in\|out)_beXX() asm code
Linus Torvalds	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
git:

linux-netdev:
Jarek Poplawski	Re: HTB accuracy for high speed
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	[GIT]: Networking
Natalie Protasevich	[BUG] New Kernel Bugs
openbsd-misc:

Colocation donated by:

Online users

Syndicate