From: "Michael S. Tsirkin" <mst@xxxxxxxxxx> Date: Tue, 22 Aug 2017 20:55:56 +0300 > Which reminds me that skb_linearize in net core seems to be > fundamentally racy - I suspect that if skb is cloned, and someone is > trying to use the shared frags while another thread calls skb_linearize, > we get some use after free bugs which likely mostly go undetected > because the corrupted packets mostly go on wire and get dropped > by checksum code. Indeed, it does assume that the skb from which the clone was made never has it's geometry changed. I don't think even the TCP retransmit queue has this guarantee. _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/virtualization
