[PATCH net] net: mctp: take ownership of skb in mctp_local

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] net: mctp: take ownership of skb in mctp_local_output
@ 2024-02-15  7:53 Jeremy Kerr
  2024-02-19  9:52 ` Simon Horman
  0 siblings, 1 reply; 3+ messages in thread
From: Jeremy Kerr @ 2024-02-15  7:53 UTC (permalink / raw)
  To: netdev
  Cc: Matt Johnston, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni

Currently, mctp_local_output only takes ownership of skb on success, and
we may leak an skb if mctp_local_output fails in specific states; the
skb ownership isn't transferred until the actual output routing occurs.

Instead, make mctp_local_output free the skb on all error paths up to
the route action, so it always consumes the passed skb.

Fixes: 833ef3b91de6 ("mctp: Populate socket implementation")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
---
 include/net/mctp.h | 1 +
 net/mctp/route.c   | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/include/net/mctp.h b/include/net/mctp.h
index da86e106c91d..2bff5f47ce82 100644
--- a/include/net/mctp.h
+++ b/include/net/mctp.h
@@ -249,6 +249,7 @@ struct mctp_route {
 struct mctp_route *mctp_route_lookup(struct net *net, unsigned int dnet,
 				     mctp_eid_t daddr);
 
+/* always takes ownership of skb */
 int mctp_local_output(struct sock *sk, struct mctp_route *rt,
 		      struct sk_buff *skb, mctp_eid_t daddr, u8 req_tag);
 
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 7a47a58aa54b..a64788bc40a8 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -888,7 +888,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt,
 		dev = dev_get_by_index_rcu(sock_net(sk), cb->ifindex);
 		if (!dev) {
 			rcu_read_unlock();
-			return rc;
+			goto out_free;
 		}
 		rt->dev = __mctp_dev_get(dev);
 		rcu_read_unlock();
@@ -903,7 +903,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt,
 		rt->mtu = 0;
 
 	} else {
-		return -EINVAL;
+		goto out_free;
 	}
 
 	spin_lock_irqsave(&rt->dev->addrs_lock, flags);
@@ -966,12 +966,17 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt,
 		rc = mctp_do_fragment_route(rt, skb, mtu, tag);
 	}
 
+	/* route output functions consume the skb, even on error */
+	skb = NULL;
+
 out_release:
 	if (!ext_rt)
 		mctp_route_release(rt);
 
 	mctp_dev_put(tmp_rt.dev);
 
+out_free:
+	kfree_skb(skb);
 	return rc;
 }
 
-- 
2.39.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] net: mctp: take ownership of skb in mctp_local_output
  2024-02-15  7:53 [PATCH net] net: mctp: take ownership of skb in mctp_local_output Jeremy Kerr
@ 2024-02-19  9:52 ` Simon Horman
  2024-02-20  7:51   ` Jeremy Kerr
  0 siblings, 1 reply; 3+ messages in thread
From: Simon Horman @ 2024-02-19  9:52 UTC (permalink / raw)
  To: Jeremy Kerr
  Cc: netdev, Matt Johnston, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni

On Thu, Feb 15, 2024 at 03:53:09PM +0800, Jeremy Kerr wrote:
> Currently, mctp_local_output only takes ownership of skb on success, and
> we may leak an skb if mctp_local_output fails in specific states; the
> skb ownership isn't transferred until the actual output routing occurs.
> 
> Instead, make mctp_local_output free the skb on all error paths up to
> the route action, so it always consumes the passed skb.
> 
> Fixes: 833ef3b91de6 ("mctp: Populate socket implementation")
> Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>

...

> diff --git a/net/mctp/route.c b/net/mctp/route.c
> index 7a47a58aa54b..a64788bc40a8 100644
> --- a/net/mctp/route.c
> +++ b/net/mctp/route.c
> @@ -888,7 +888,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt,
>  		dev = dev_get_by_index_rcu(sock_net(sk), cb->ifindex);
>  		if (!dev) {
>  			rcu_read_unlock();
> -			return rc;
> +			goto out_free;
>  		}
>  		rt->dev = __mctp_dev_get(dev);
>  		rcu_read_unlock();
> @@ -903,7 +903,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt,
>  		rt->mtu = 0;
>  
>  	} else {
> -		return -EINVAL;
> +		goto out_free;

Hi Jeremy,

Previously this path returned -EINVAL. Now it will return rc.
But by my reading rc is set to -ENODEV here.
Should that be addressed?

>  	}
>  
>  	spin_lock_irqsave(&rt->dev->addrs_lock, flags);
> @@ -966,12 +966,17 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt,
>  		rc = mctp_do_fragment_route(rt, skb, mtu, tag);
>  	}
>  
> +	/* route output functions consume the skb, even on error */
> +	skb = NULL;
> +
>  out_release:
>  	if (!ext_rt)
>  		mctp_route_release(rt);
>  
>  	mctp_dev_put(tmp_rt.dev);
>  
> +out_free:
> +	kfree_skb(skb);
>  	return rc;
>  }
>  
> -- 
> 2.39.2
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] net: mctp: take ownership of skb in mctp_local_output
  2024-02-19  9:52 ` Simon Horman
@ 2024-02-20  7:51   ` Jeremy Kerr
  0 siblings, 0 replies; 3+ messages in thread
From: Jeremy Kerr @ 2024-02-20  7:51 UTC (permalink / raw)
  To: Simon Horman
  Cc: netdev, Matt Johnston, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni

Hi Simon,
> Previously this path returned -EINVAL. Now it will return rc.
> But by my reading rc is set to -ENODEV here.
> Should that be addressed?

Yes! While ENODEV is kind-of suitable here, but it would be better to
not change that case. I will send a v2 soon.

Thanks for the review.

Cheers,


Jeremy

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-02-20  7:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-15  7:53 [PATCH net] net: mctp: take ownership of skb in mctp_local_output Jeremy Kerr
2024-02-19  9:52 ` Simon Horman
2024-02-20  7:51   ` Jeremy Kerr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).