* [net] net: fix double free issue of skbuff
@ 2016-02-29 12:22 Zhang Shengju
2016-02-29 12:58 ` Sergei Shtylyov
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Zhang Shengju @ 2016-02-29 12:22 UTC (permalink / raw)
To: davem, netdev
If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
Then at skb_vlan_untag(), it will free skbuff again which cause double
free.
This patch removes kfree_skb() call in function skb_reorder_vlan_header().
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
---
net/core/skbuff.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 488566b..1312d4b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4350,7 +4350,6 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
{
if (skb_cow(skb, skb_headroom(skb)) < 0) {
- kfree_skb(skb);
return NULL;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [net] net: fix double free issue of skbuff
2016-02-29 12:22 [net] net: fix double free issue of skbuff Zhang Shengju
@ 2016-02-29 12:58 ` Sergei Shtylyov
2016-02-29 13:10 ` Paolo Abeni
2016-02-29 17:01 ` David Miller
2 siblings, 0 replies; 7+ messages in thread
From: Sergei Shtylyov @ 2016-02-29 12:58 UTC (permalink / raw)
To: Zhang Shengju, davem, netdev
Hello.
On 2/29/2016 3:22 PM, Zhang Shengju wrote:
> If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
> Then at skb_vlan_untag(), it will free skbuff again which cause double
> free.
>
> This patch removes kfree_skb() call in function skb_reorder_vlan_header().
>
> Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
> ---
> net/core/skbuff.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index 488566b..1312d4b 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -4350,7 +4350,6 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
> static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
> {
> if (skb_cow(skb, skb_headroom(skb)) < 0) {
> - kfree_skb(skb);
> return NULL;
> }
You now need to remove {}.
MBR, Sergei
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [net] net: fix double free issue of skbuff
2016-02-29 12:22 [net] net: fix double free issue of skbuff Zhang Shengju
2016-02-29 12:58 ` Sergei Shtylyov
@ 2016-02-29 13:10 ` Paolo Abeni
2016-02-29 17:01 ` David Miller
2 siblings, 0 replies; 7+ messages in thread
From: Paolo Abeni @ 2016-02-29 13:10 UTC (permalink / raw)
To: Zhang Shengju; +Cc: davem, netdev
On Mon, 2016-02-29 at 12:22 +0000, Zhang Shengju wrote:
> If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
> Then at skb_vlan_untag(), it will free skbuff again which cause double
> free.
On skb_reorder_vlan_header() failure, skb_vlan_untag() will call
kfree_skb() using the return value of skb_reorder_vlan_header(), that is
NULL. kfree_skb() is a noop when the argument is NULL.
The current code seams safe.
Paolo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [net] net: fix double free issue of skbuff
2016-02-29 12:22 [net] net: fix double free issue of skbuff Zhang Shengju
2016-02-29 12:58 ` Sergei Shtylyov
2016-02-29 13:10 ` Paolo Abeni
@ 2016-02-29 17:01 ` David Miller
2 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2016-02-29 17:01 UTC (permalink / raw)
To: zhangshengju; +Cc: netdev
From: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Date: Mon, 29 Feb 2016 12:22:53 +0000
> If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
> Then at skb_vlan_untag(), it will free skbuff again which cause double
> free.
The 'skb' local variable in this case will be set to "NULL", calling
kfree_skb() on NULL doesn't do anything.
> This patch removes kfree_skb() call in function skb_reorder_vlan_header().
>
> Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Please analyze the complete control path of the caller of this
function, and you'll find that everything is fine.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [net] net: fix double free issue of skbuff
@ 2016-02-29 14:10 张胜举
0 siblings, 0 replies; 7+ messages in thread
From: 张胜举 @ 2016-02-29 14:10 UTC (permalink / raw)
To: 'Sergei Shtylyov', davem, netdev
> Hello.
>
> On 2/29/2016 3:22 PM, Zhang Shengju wrote:
>
> > If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
> > Then at skb_vlan_untag(), it will free skbuff again which cause double
> > free.
> >
> > This patch removes kfree_skb() call in function
> skb_reorder_vlan_header().
> >
> > Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
> > ---
> > net/core/skbuff.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c index
> > 488566b..1312d4b 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -4350,7 +4350,6 @@
> EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
> > static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
> > {
> > if (skb_cow(skb, skb_headroom(skb)) < 0) {
> > - kfree_skb(skb);
> > return NULL;
> > }
>
> You now need to remove {}.
>
> MBR, Sergei
Thanks Sergei, I will add this in v2.
BRs,
Shengju
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [net] net: fix double free issue of skbuff
@ 2016-02-29 14:16 张胜举
2016-02-29 17:11 ` David Miller
0 siblings, 1 reply; 7+ messages in thread
From: 张胜举 @ 2016-02-29 14:16 UTC (permalink / raw)
To: 'Paolo Abeni'; +Cc: davem, netdev
> On Mon, 2016-02-29 at 12:22 +0000, Zhang Shengju wrote:
> > If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
> > Then at skb_vlan_untag(), it will free skbuff again which cause double
> > free.
>
> On skb_reorder_vlan_header() failure, skb_vlan_untag() will call
> kfree_skb() using the return value of skb_reorder_vlan_header(), that is
> NULL. kfree_skb() is a noop when the argument is NULL.
>
> The current code seams safe.
>
> Paolo
Hi Paolo, even current code is safe, this's still a potential problem. We should make an
assumption that inner function doesn't free skb, and let outside function take care of this.
BRs,
Shengju
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [net] net: fix double free issue of skbuff
2016-02-29 14:16 张胜举
@ 2016-02-29 17:11 ` David Miller
0 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2016-02-29 17:11 UTC (permalink / raw)
To: zhangshengju; +Cc: pabeni, netdev
From: 张胜举 <zhangshengju@cmss.chinamobile.com>
Date: Mon, 29 Feb 2016 22:16:37 +0800
>> On Mon, 2016-02-29 at 12:22 +0000, Zhang Shengju wrote:
>> > If skb_reorder_vlan_header() failed, skb is freed and NULL is returned.
>> > Then at skb_vlan_untag(), it will free skbuff again which cause double
>> > free.
>>
>> On skb_reorder_vlan_header() failure, skb_vlan_untag() will call
>> kfree_skb() using the return value of skb_reorder_vlan_header(), that is
>> NULL. kfree_skb() is a noop when the argument is NULL.
>>
>> The current code seams safe.
>>
>> Paolo
> Hi Paolo, even current code is safe, this's still a potential problem. We should make an
> assumption that inner function doesn't free skb, and let outside function take care of this.
No, the current code is intentional and perfectly fine.
Fix real bugs, not imaginary ones.
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-02-29 17:11 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-29 12:22 [net] net: fix double free issue of skbuff Zhang Shengju
2016-02-29 12:58 ` Sergei Shtylyov
2016-02-29 13:10 ` Paolo Abeni
2016-02-29 17:01 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2016-02-29 14:10 张胜举
2016-02-29 14:16 张胜举
2016-02-29 17:11 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).