Re: [BUG] NULL pointer dereference in skb_dequeue

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Paul E. McKenney <paulmck@...>

Cc: David Miller <davem@...>, <emil.s.tantilov@...>, <jeffrey.t.kirsher@...>, <netdev@...>

Subject: Re: [BUG] NULL pointer dereference in skb_dequeue

Date: Tuesday, August 12, 2008 - 2:36 am

On Mon, Aug 11, 2008 at 04:26:57PM -0700, Paul E. McKenney wrote:
quoted text> On Mon, Aug 11, 2008 at 10:01:26AM +0000, Jarek Poplawski wrote:
> > On 10-08-2008 21:04, Jarek Poplawski wrote:
> > ...
> > > Hmm.. Actually, it's completely unreasonable. Let's forget this.
> > 
> > But accidentally it might even sometimes work here...
> > 
> > Currently, the most suspicious place to me seems to be
> > __netif_schedule(). Is it legal to store RCU protected pointers out of
> > rcu_read_lock() sections?
> 
> Yes, but:
> 
> 1.	You need to use one of the update-side primitives to do the
> 	store: rcu_assign_pointer(), list_add_rcu(), etc.
> 
> 2.	There has to be some way for multiple updaters to coordinate,
> 	for example:
> 
> 	a.	Only a single task is permitted to update.
> 
> 	b.	Locking is used to coordinate among multiple updaters
> 		(so that only one such updater may proceed at a given
> 		time).
> 
> 	c.	Atomic operations are used to coordinate multiple
> 		updaters.  Here be dragons, go for (a) or (b)
> 		instead unless you have an extremely good reason
> 		-and- you have both a proof of correctness and
> 		a totally brutal and malign test suite.
> 
> The main reason to update RCU-protected pointers within rcu_read_lock()
> regions is when sharing code between RCU readers and updaters, or when
> an RCU reader can see the need to do an update.

Sure, but I'm concerned here with pure RCU reading:

From net/sched/sch_generic.c:

void __qdisc_run(struct Qdisc *q)
{
        unsigned long start_time = jiffies;

        while (qdisc_restart(q)) {
                /*
                 * Postpone processing if
                 * 1. another process needs the CPU;
                 * 2. we've been doing it for too long.
                 */
                if (need_resched() || jiffies != start_time) {
                        __netif_schedule(q);

This function is run from dev_queue_xmit() (net/core/dev.c) under
rcu_read_lock_bh(), and this "q" pointer is passed here for later use
(reading) by softirq run net_tx_action(). Alas in net/ RCU primitives
are probably omitted in a few places...

Thanks for the explanation,
Jarek P.

                        break;
                }
        }

        clear_bit(__QDISC_STATE_RUNNING, &q->state);
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[BUG] NULL pointer dereference in skb_dequeue, Jeff Kirsher, (Fri Aug 1, 7:40 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, David Miller, (Fri Aug 1, 9:03 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, David Miller, (Fri Aug 1, 9:20 pm)

RE: [BUG] NULL pointer dereference in skb_dequeue, Tantilov, Emil S, (Sat Aug 2, 5:36 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sat Aug 2, 9:37 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sat Aug 2, 12:27 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, David Miller, (Sat Aug 2, 3:18 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sat Aug 2, 4:19 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sun Aug 3, 5:29 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, David Miller, (Sun Aug 3, 5:56 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sun Aug 3, 6:08 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sun Aug 3, 5:50 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, David Miller, (Sat Aug 2, 3:22 pm)

RE: [BUG] NULL pointer dereference in skb_dequeue, Tantilov, Emil S, (Sat Aug 2, 3:45 pm)

RE: [BUG] NULL pointer dereference in skb_dequeue, Tantilov, Emil S, (Sat Aug 2, 5:46 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, David Miller, (Sat Aug 2, 10:26 pm)

RE: [BUG] NULL pointer dereference in skb_dequeue, Tantilov, Emil S, (Fri Aug 8, 3:38 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, David Miller, (Sat Aug 9, 3:29 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sat Aug 9, 6:32 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Sun Aug 10, 3:04 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Mon Aug 11, 6:01 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Paul E. McKenney, (Mon Aug 11, 7:26 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Tue Aug 12, 2:36 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Paul E. McKenney, (Tue Aug 12, 9:42 am)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Tue Aug 12, 2:09 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Paul E. McKenney, (Tue Aug 12, 4:18 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Jarek Poplawski, (Tue Aug 12, 5:15 pm)

Re: [BUG] NULL pointer dereference in skb_dequeue, Paul E. McKenney, (Tue Aug 12, 6:33 pm)


linux-kernel:
Andrew Morton	2.6.23-rc3-mm1
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Yinghai Lu	Re: [PATCH RFC] x86: check for and defend against BIOS memory corruption
Frederik Deweerdt	[-mm patch] remove tcp header from tcp_v4_check (take #2)
openbsd-misc:

linux-netdev:
David Miller	[GIT]: Networking
Jarek Poplawski	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Herbert Xu	Re: [PATCH 2/3][NET_BATCH] net core use batching
git:

Re: [BUG] NULL pointer dereference in skb_dequeue

Online users