From: chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
To: David Woodhouse <dwmw2@infradead.org>
Cc: Krzysztof Mazur <krzysiek@podlesie.net>,
David Laight <David.Laight@ACULAB.COM>,
davem@davemloft.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, nathan@traverse.com.au
Subject: Re: [PATCH v2 3/3] pppoatm: protect against freeing of vcc
Date: Thu, 29 Nov 2012 13:29:02 -0500 [thread overview]
Message-ID: <20121129132902.04373f49@thirdoffive.cmf.nrl.navy.mil> (raw)
In-Reply-To: <1354212708.21562.205.camel@shinybook.infradead.org>
On Thu, 29 Nov 2012 18:11:48 +0000
David Woodhouse <dwmw2@infradead.org> wrote:
> We do see the 'packet received for unknown VCC' complaint, after we
> reboot the host without resetting the card. And as shown in the commit I
> just referenced, we rely on the !ATM_VF_READY check in order to prevent
> a use-after-free when the tasklet is sending packets up a VCC that's
> just been closed.
well that behavior is just crap. why is it delivering cells for a
vpi/vci pair that is not open? regardless, i pointed out the behavior
of find_vcc() just in case you need to do some clean up on data that is
coming back while you are attempting to finish operations during your
driver's close() but this cleanup might not be happening since you
arent able to get a reference to the vcc so you can pop() the data or
whatever you might need to do.
> > again part of this is poor synchronization. the detach protocol (i.e.
> > push of a NULL skb) should be flushing any pending transmits and
> > shutting down whatever in the protocol is doing any sending and
> > receiving. however, i release this might be difficult to do since the
> > detach protocol is invoked in such a strange way.
>
> You mean that (e.g.) pppoatm_push(vcc, NULL) should be waiting for any
> pending TX skb (that has already been passed off to the driver) to
> *complete*? How would it even do that?
i think the order of the vcc_destroy_socket() operations is a bit
wrong. it should call detach protocol (i.e. push a NULL). this should
cause the attached protocol to stop any future sends and receives, and
it CAN sleep in this context (and only this context -- generally
sending cannot sleep which is why this might seem confusing) to do
whatever it needs to do to wait for the attached protocol to clean up
queues, flush data etc.
then the driver close() should be called. this takes care of cleaning
up any pending tx or rx that is in the hardware. and of course,
close() can sleep since it will be in a interrutible context.
the pop() might be screwed up here though. you might have skb's in the
driver that should be pop()'ed with the formerly attached protocol.
you could wait for pending tx's sent to the driver. you know that your
attached protocol's pop() will be called. keep count of the
outstanding transmit skb's. you cant do this though if you close() the
vcc before you detach the protocol.
next prev parent reply other threads:[~2012-11-29 18:29 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-22 17:14 [PATCH v2 1/3] pppoatm: don't send frames to destroyed vcc Krzysztof Mazur
2012-10-22 17:14 ` [PATCH v2 2/3] pppoatm: fix race condition with destroying of vcc Krzysztof Mazur
2012-10-30 9:37 ` David Woodhouse
2012-10-30 19:07 ` Krzysztof Mazur
2012-10-30 19:52 ` Krzysztof Mazur
2012-10-31 10:16 ` David Woodhouse
2012-10-31 11:30 ` Krzysztof Mazur
2012-10-31 11:52 ` David Woodhouse
2012-10-30 14:26 ` Chas Williams (CONTRACTOR)
2012-10-30 18:20 ` Krzysztof Mazur
2012-10-31 9:41 ` Krzysztof Mazur
2012-10-31 10:22 ` Krzysztof Mazur
2012-10-31 20:03 ` chas williams - CONTRACTOR
2012-10-31 22:04 ` Krzysztof Mazur
2012-11-01 14:26 ` chas williams - CONTRACTOR
2012-11-02 9:40 ` Krzysztof Mazur
2012-11-02 10:54 ` Krzysztof Mazur
2012-10-22 17:14 ` [PATCH v2 3/3] pppoatm: protect against freeing " Krzysztof Mazur
2012-10-30 9:39 ` David Woodhouse
2012-10-30 19:26 ` Krzysztof Mazur
2012-11-27 17:16 ` David Woodhouse
2012-11-27 17:39 ` Krzysztof Mazur
2012-11-27 18:02 ` David Woodhouse
2012-11-27 18:28 ` Krzysztof Mazur
2012-11-28 20:18 ` Krzysztof Mazur
2012-11-28 20:44 ` David Woodhouse
2012-11-28 21:24 ` Krzysztof Mazur
2012-11-28 21:20 ` chas williams - CONTRACTOR
2012-11-28 21:45 ` [PATCH] atm: introduce vcc_pop() Krzysztof Mazur
2012-11-28 21:59 ` chas williams - CONTRACTOR
2012-11-28 22:10 ` Krzysztof Mazur
2012-11-28 22:33 ` [PATCH] atm: introduce vcc_pop_skb() Krzysztof Mazur
2012-12-03 13:22 ` David Woodhouse
2012-12-03 20:11 ` Krzysztof Mazur
2012-11-27 18:39 ` [PATCH v2 3/3] pppoatm: protect against freeing of vcc Krzysztof Mazur
2012-11-27 18:54 ` chas williams - CONTRACTOR
2012-11-27 22:36 ` [PATCH] solos-pci: Wait for pending TX to complete when releasing vcc David Woodhouse
2012-11-27 23:28 ` [PATCH] br2684: don't send frames on not-ready vcc David Woodhouse
2012-11-27 23:51 ` Krzysztof Mazur
2012-11-28 0:54 ` David Woodhouse
2012-11-28 8:08 ` Krzysztof Mazur
2012-11-28 9:58 ` David Woodhouse
2012-11-28 16:41 ` David Miller
2012-11-28 17:01 ` David Woodhouse
2012-11-28 17:04 ` David Miller
2012-11-28 17:09 ` David Woodhouse
2012-11-28 17:11 ` David Miller
2012-11-30 1:18 ` Nathan Williams
2012-11-30 1:34 ` David Woodhouse
2012-11-28 9:21 ` [PATCH v2 3/3] pppoatm: protect against freeing of vcc David Laight
2012-11-28 10:04 ` Krzysztof Mazur
2012-11-28 10:24 ` David Woodhouse
2012-11-28 15:18 ` chas williams - CONTRACTOR
2012-11-28 22:18 ` David Woodhouse
2012-11-29 10:57 ` Krzysztof Mazur
2012-11-29 11:55 ` David Woodhouse
2012-11-29 12:43 ` [PATCH] solos-pci: don't call vcc->pop() after pclose() Krzysztof Mazur
2012-11-29 12:57 ` David Woodhouse
2012-11-29 13:20 ` Krzysztof Mazur
2012-11-29 14:42 ` David Woodhouse
2012-11-29 14:55 ` Krzysztof Mazur
2012-11-29 14:41 ` chas williams - CONTRACTOR
2012-11-29 14:29 ` [PATCH v2 3/3] pppoatm: protect against freeing of vcc chas williams - CONTRACTOR
2012-11-29 15:09 ` Krzysztof Mazur
2012-11-29 15:47 ` David Woodhouse
2012-11-29 15:59 ` chas williams - CONTRACTOR
2012-11-29 16:24 ` David Woodhouse
2012-11-29 17:17 ` chas williams - CONTRACTOR
2012-11-29 18:11 ` David Woodhouse
2012-11-29 18:29 ` chas williams - CONTRACTOR [this message]
2012-11-29 22:17 ` David Woodhouse
2012-11-30 1:38 ` Chas Williams (CONTRACTOR)
2012-11-30 1:57 ` David Woodhouse
2012-11-30 8:25 ` David Woodhouse
2012-11-30 9:53 ` Krzysztof Mazur
2012-11-30 12:10 ` David Woodhouse
2012-11-30 16:23 ` David Woodhouse
2012-11-30 17:00 ` Krzysztof Mazur
2012-11-30 18:33 ` David Woodhouse
2012-11-30 17:12 ` chas williams - CONTRACTOR
2012-11-30 17:39 ` Krzysztof Mazur
2012-11-29 16:28 ` Krzysztof Mazur
2012-11-29 15:37 ` chas williams - CONTRACTOR
2012-11-29 15:59 ` David Woodhouse
2012-11-29 16:11 ` chas williams - CONTRACTOR
2012-10-23 6:52 ` [PATCH v2 1/3] pppoatm: don't send frames to destroyed vcc David Miller
2012-10-23 8:12 ` David Woodhouse
2012-10-30 9:35 ` David Woodhouse
2012-10-30 20:19 ` Krzysztof Mazur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121129132902.04373f49@thirdoffive.cmf.nrl.navy.mil \
--to=chas@cmf.nrl.navy.mil \
--cc=David.Laight@ACULAB.COM \
--cc=davem@davemloft.net \
--cc=dwmw2@infradead.org \
--cc=krzysiek@podlesie.net \
--cc=linux-kernel@vger.kernel.org \
--cc=nathan@traverse.com.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.