On 09/11/2015 11:34 PM, David Miller wrote:
...
Another approach would be to put the mmap user data into a page frag,
but that obviously has some costs associated with it. However,
nothing in netlink is ready for fragged skbs yet. It's the reason why
we have the large skb via vmalloc facility.
From: Daniel Borkmann
Date: Fri, 11 Sep 2015 22:35:08 +0200
> On 09/11/2015 09:42 PM, David Miller wrote:
>> @@ -2220,7 +2221,8 @@ static inline void skb_orphan(struct sk_buff
>> *skb)
>>*/
>> static inline int skb_orphan_frags(struct sk_buff *skb, gfp_t
>> gfp_mask)
>> {
>> -if (li
On 09/11/2015 09:42 PM, David Miller wrote:
From: Daniel Borkmann
Date: Fri, 11 Sep 2015 12:25:45 +0200
Already calling into skb_clone() is an issue itself, as the data
area is user space buffer, and skb_clone() as well as skb_copy()
access skb_shinfo() area. :/ So in that regard netlink mmap
From: Daniel Borkmann
Date: Fri, 11 Sep 2015 12:25:45 +0200
> Already calling into skb_clone() is an issue itself, as the data
> area is user space buffer, and skb_clone() as well as skb_copy()
> access skb_shinfo() area. :/ So in that regard netlink mmap skbs are
> even further restrictive on wh
On 09/11/2015 07:11 AM, David Miller wrote:
...
Looking more deeply into this, I think we have the same exact problem
with netlink skbs that use vmalloc memory at skb->head.
Yes, agreed, the test in the patch covered those as well via:
if (netlink_skb_is_mmaped(skb) || is_vmalloc_addr(skb->h
From: Daniel Borkmann
Date: Thu, 10 Sep 2015 20:05:46 +0200
> Ken-ichirou reported that running netlink in mmap mode for receive in
> combination with nlmon will throw a NULL pointer dereference in
> __kfree_skb() on nlmon_xmit(), in my case I can also trigger an "unable
> to handle kernel paging
Ken-ichirou reported that running netlink in mmap mode for receive in
combination with nlmon will throw a NULL pointer dereference in
__kfree_skb() on nlmon_xmit(), in my case I can also trigger an "unable
to handle kernel paging request". The problem is the skb_clone() in
__netlink_deliver_tap_skb
