[PATCH net] net: dsa: ksz: fix skb freeing

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] net: dsa: ksz: fix skb freeing
@ 2017-08-09 20:46 Vivien Didelot
  2017-08-09 20:53 ` Andrew Lunn
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Vivien Didelot @ 2017-08-09 20:46 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, kernel, David S. Miller, Florian Fainelli,
	Andrew Lunn, Vivien Didelot

The DSA layer frees the original skb when an xmit function returns NULL,
meaning an error occurred. But if the tagging code copied the original
skb, it is responsible of freeing the copy if an error occurs.

The ksz tagging code currently has two issues: if skb_put_padto fails,
the skb copy is not freed, and the original skb will be freed twice.

To fix that, move skb_put_padto inside both branches of the skb_tailroom
condition, before freeing the original skb, and free the copy on error.

Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
---
 net/dsa/tag_ksz.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
index fab41de8e983..de66ca8e6201 100644
--- a/net/dsa/tag_ksz.c
+++ b/net/dsa/tag_ksz.c
@@ -42,6 +42,9 @@ static struct sk_buff *ksz_xmit(struct sk_buff *skb, struct net_device *dev)
 	padlen = (skb->len >= ETH_ZLEN) ? 0 : ETH_ZLEN - skb->len;
 
 	if (skb_tailroom(skb) >= padlen + KSZ_INGRESS_TAG_LEN) {
+		if (skb_put_padto(skb, skb->len + padlen))
+			return NULL;
+
 		nskb = skb;
 	} else {
 		nskb = alloc_skb(NET_IP_ALIGN + skb->len +
@@ -56,13 +59,15 @@ static struct sk_buff *ksz_xmit(struct sk_buff *skb, struct net_device *dev)
 		skb_set_transport_header(nskb,
 					 skb_transport_header(skb) - skb->head);
 		skb_copy_and_csum_dev(skb, skb_put(nskb, skb->len));
+
+		if (skb_put_padto(nskb, nskb->len + padlen)) {
+			kfree_skb(nskb);
+			return NULL;
+		}
+
 		kfree_skb(skb);
 	}
 
-	/* skb is freed when it fails */
-	if (skb_put_padto(nskb, nskb->len + padlen))
-		return NULL;
-
 	tag = skb_put(nskb, KSZ_INGRESS_TAG_LEN);
 	tag[0] = 0;
 	tag[1] = 1 << p->dp->index; /* destination port */
-- 
2.14.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net: dsa: ksz: fix skb freeing
  2017-08-09 20:46 [PATCH net] net: dsa: ksz: fix skb freeing Vivien Didelot
@ 2017-08-09 20:53 ` Andrew Lunn
  2017-08-09 21:43 ` Woojung.Huh
  2017-08-11 20:57 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Andrew Lunn @ 2017-08-09 20:53 UTC (permalink / raw)
  To: Vivien Didelot, Woojung.Huh
  Cc: netdev, linux-kernel, kernel, David S. Miller, Florian Fainelli

Hi Vivien

You missed sending a copy to Woojung Huh.

    Andrew

On Wed, Aug 09, 2017 at 04:46:09PM -0400, Vivien Didelot wrote:
> The DSA layer frees the original skb when an xmit function returns NULL,
> meaning an error occurred. But if the tagging code copied the original
> skb, it is responsible of freeing the copy if an error occurs.
> 
> The ksz tagging code currently has two issues: if skb_put_padto fails,
> the skb copy is not freed, and the original skb will be freed twice.
> 
> To fix that, move skb_put_padto inside both branches of the skb_tailroom
> condition, before freeing the original skb, and free the copy on error.
> 
> Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
> ---
>  net/dsa/tag_ksz.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
> index fab41de8e983..de66ca8e6201 100644
> --- a/net/dsa/tag_ksz.c
> +++ b/net/dsa/tag_ksz.c
> @@ -42,6 +42,9 @@ static struct sk_buff *ksz_xmit(struct sk_buff *skb, struct net_device *dev)
>  	padlen = (skb->len >= ETH_ZLEN) ? 0 : ETH_ZLEN - skb->len;
>  
>  	if (skb_tailroom(skb) >= padlen + KSZ_INGRESS_TAG_LEN) {
> +		if (skb_put_padto(skb, skb->len + padlen))
> +			return NULL;
> +
>  		nskb = skb;
>  	} else {
>  		nskb = alloc_skb(NET_IP_ALIGN + skb->len +
> @@ -56,13 +59,15 @@ static struct sk_buff *ksz_xmit(struct sk_buff *skb, struct net_device *dev)
>  		skb_set_transport_header(nskb,
>  					 skb_transport_header(skb) - skb->head);
>  		skb_copy_and_csum_dev(skb, skb_put(nskb, skb->len));
> +
> +		if (skb_put_padto(nskb, nskb->len + padlen)) {
> +			kfree_skb(nskb);
> +			return NULL;
> +		}
> +
>  		kfree_skb(skb);
>  	}
>  
> -	/* skb is freed when it fails */
> -	if (skb_put_padto(nskb, nskb->len + padlen))
> -		return NULL;
> -
>  	tag = skb_put(nskb, KSZ_INGRESS_TAG_LEN);
>  	tag[0] = 0;
>  	tag[1] = 1 << p->dp->index; /* destination port */
> -- 
> 2.14.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: [PATCH net] net: dsa: ksz: fix skb freeing
  2017-08-09 20:46 [PATCH net] net: dsa: ksz: fix skb freeing Vivien Didelot
  2017-08-09 20:53 ` Andrew Lunn
@ 2017-08-09 21:43 ` Woojung.Huh
  2017-08-11 20:57 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Woojung.Huh @ 2017-08-09 21:43 UTC (permalink / raw)
  To: vivien.didelot, netdev; +Cc: linux-kernel, kernel, davem, f.fainelli, andrew

> The DSA layer frees the original skb when an xmit function returns NULL,
> meaning an error occurred. But if the tagging code copied the original
> skb, it is responsible of freeing the copy if an error occurs.
> 
> The ksz tagging code currently has two issues: if skb_put_padto fails,
> the skb copy is not freed, and the original skb will be freed twice.
> 
> To fix that, move skb_put_padto inside both branches of the skb_tailroom
> condition, before freeing the original skb, and free the copy on error.
> 
> Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Reviewed-by: Woojung Huh <woojung.huh@microchip.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] net: dsa: ksz: fix skb freeing
  2017-08-09 20:46 [PATCH net] net: dsa: ksz: fix skb freeing Vivien Didelot
  2017-08-09 20:53 ` Andrew Lunn
  2017-08-09 21:43 ` Woojung.Huh
@ 2017-08-11 20:57 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2017-08-11 20:57 UTC (permalink / raw)
  To: vivien.didelot; +Cc: netdev, linux-kernel, kernel, f.fainelli, andrew

From: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Date: Wed,  9 Aug 2017 16:46:09 -0400

> The DSA layer frees the original skb when an xmit function returns NULL,
> meaning an error occurred. But if the tagging code copied the original
> skb, it is responsible of freeing the copy if an error occurs.
> 
> The ksz tagging code currently has two issues: if skb_put_padto fails,
> the skb copy is not freed, and the original skb will be freed twice.
> 
> To fix that, move skb_put_padto inside both branches of the skb_tailroom
> condition, before freeing the original skb, and free the copy on error.
> 
> Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>

Applied, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-08-11 20:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-09 20:46 [PATCH net] net: dsa: ksz: fix skb freeing Vivien Didelot
2017-08-09 20:53 ` Andrew Lunn
2017-08-09 21:43 ` Woojung.Huh
2017-08-11 20:57 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).