From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xie He <xie.he.0141@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Martin Schiller <ms@dev.tdt.de>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.7 24/25] drivers/net/wan: lapb: Corrected the usage of skb_cow
Date: Mon, 27 Jul 2020 19:23:44 -0400 [thread overview]
Message-ID: <20200727232345.717432-24-sashal@kernel.org> (raw)
In-Reply-To: <20200727232345.717432-1-sashal@kernel.org>
From: Xie He <xie.he.0141@gmail.com>
[ Upstream commit 8754e1379e7089516a449821f88e1fe1ebbae5e1 ]
This patch fixed 2 issues with the usage of skb_cow in LAPB drivers
"lapbether" and "hdlc_x25":
1) After skb_cow fails, kfree_skb should be called to drop a reference
to the skb. But in both drivers, kfree_skb is not called.
2) skb_cow should be called before skb_push so that is can ensure the
safety of skb_push. But in "lapbether", it is incorrectly called after
skb_push.
More details about these 2 issues:
1) The behavior of calling kfree_skb on failure is also the behavior of
netif_rx, which is called by this function with "return netif_rx(skb);".
So this function should follow this behavior, too.
2) In "lapbether", skb_cow is called after skb_push. This results in 2
logical issues:
a) skb_push is not protected by skb_cow;
b) An extra headroom of 1 byte is ensured after skb_push. This extra
headroom has no use in this function. It also has no use in the
upper-layer function that this function passes the skb to
(x25_lapb_receive_frame in net/x25/x25_dev.c).
So logically skb_cow should instead be called before skb_push.
Cc: Eric Dumazet <edumazet@google.com>
Cc: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Xie He <xie.he.0141@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wan/hdlc_x25.c | 4 +++-
drivers/net/wan/lapbether.c | 8 +++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wan/hdlc_x25.c b/drivers/net/wan/hdlc_x25.c
index c84536b03aa84..f70336bb6f524 100644
--- a/drivers/net/wan/hdlc_x25.c
+++ b/drivers/net/wan/hdlc_x25.c
@@ -71,8 +71,10 @@ static int x25_data_indication(struct net_device *dev, struct sk_buff *skb)
{
unsigned char *ptr;
- if (skb_cow(skb, 1))
+ if (skb_cow(skb, 1)) {
+ kfree_skb(skb);
return NET_RX_DROP;
+ }
skb_push(skb, 1);
skb_reset_network_header(skb);
diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
index e30d91a38cfb6..b73b347ed731d 100644
--- a/drivers/net/wan/lapbether.c
+++ b/drivers/net/wan/lapbether.c
@@ -128,10 +128,12 @@ static int lapbeth_data_indication(struct net_device *dev, struct sk_buff *skb)
{
unsigned char *ptr;
- skb_push(skb, 1);
-
- if (skb_cow(skb, 1))
+ if (skb_cow(skb, 1)) {
+ kfree_skb(skb);
return NET_RX_DROP;
+ }
+
+ skb_push(skb, 1);
ptr = skb->data;
*ptr = X25_IFACE_DATA;
--
2.25.1
next prev parent reply other threads:[~2020-07-27 23:28 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 23:23 [PATCH AUTOSEL 5.7 01/25] mt76: mt7615: fix lmac queue debugsfs entry Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 02/25] iwlwifi: fix crash in iwl_dbg_tlv_alloc_trigger Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 03/25] usb: hso: Fix debug compile warning on sparc32 Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 04/25] selftests: fib_nexthop_multiprefix: fix cleanup() netns deletion Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 05/25] qed: Disable "MFW indication via attention" SPAM every 5 minutes Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 06/25] selftests: net: ip_defrag: modprobe missing nf_defrag_ipv6 support Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 07/25] io_uring: always allow drain/link/hardlink/async sqe flags Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 08/25] habanalabs: prevent possible out-of-bounds array access Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 09/25] nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 10/25] scsi: core: Run queue in case of I/O resource contention failure Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 11/25] riscv: kasan: use local_tlb_flush_all() to avoid uninitialized __sbi_rfence Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 12/25] parisc: add support for cmpxchg on u8 pointers Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 13/25] net: ethernet: ravb: exit if re-initialization fails in tx timeout Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 14/25] selftest: txtimestamp: fix net ns entry logic Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 15/25] drivers/net/wan/x25_asy: Fix to make it work Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 16/25] Revert "i2c: cadence: Fix the hold bit setting" Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 17/25] i2c: cadence: Clear HOLD bit at correct time in Rx path Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 18/25] x86/unwind/orc: Fix ORC for newly forked tasks Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 19/25] x86/stacktrace: Fix reliable check for empty user task stacks Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 20/25] cxgb4: add missing release on skb in uld_send() Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 21/25] io_uring: missed req_init_async() for IOSQE_ASYNC Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 22/25] xen-netfront: fix potential deadlock in xennet_remove() Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 23/25] RISC-V: Set maximum number of mapped pages correctly Sasha Levin
2020-07-27 23:23 ` Sasha Levin
2020-07-27 23:23 ` Sasha Levin [this message]
2020-07-27 23:23 ` [PATCH AUTOSEL 5.7 25/25] riscv: Parse all memory blocks to remove unusable memory Sasha Levin
2020-07-27 23:23 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200727232345.717432-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ms@dev.tdt.de \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xie.he.0141@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.