From: Jakub Kicinski <kuba@kernel.org>
To: linusw@kernel.org
Cc: Jakub Kicinski <kuba@kernel.org>,
andrew@lunn.ch, olteanv@gmail.com, davem@davemloft.net,
edumazet@google.com, pabeni@redhat.com, horms@kernel.org,
florian.fainelli@broadcom.com, jonas.gorski@gmail.com,
hauke@hauke-m.de, kurt@linutronix.de, woojung.huh@microchip.com,
UNGLinuxDriver@microchip.com, chester.a.unal@arinc9.com,
daniel@makrotopia.org, matthias.bgg@gmail.com,
angelogioacchino.delregno@collabora.com, wei.fang@nxp.com,
xiaoning.wang@nxp.com, clement.leger@bootlin.com,
george.mccollister@gmail.com, mmyangfl@gmail.com,
netdev@vger.kernel.org, sashiko-bot@kernel.org
Subject: Re: [PATCH net v4] net: dsa: Fix skb ownership in taggers
Date: Tue, 23 Jun 2026 19:15:46 -0700 [thread overview]
Message-ID: <20260624021546.2131211-1-kuba@kernel.org> (raw)
In-Reply-To: <20260622-dsa-fix-free-skb-v4-1-7aea01bf4036@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
net: dsa: Fix skb ownership in taggers
This change reworks the DSA tagger ->xmit() and ->rcv() ownership rules
so that taggers consume the skb on failure rather than leaving the drop
to dsa_user_xmit() and dsa_switch_rcv(). It removes the kfree_skb()
calls in those two callers and adds matching kfree_skb() in every
tagger error path that retains skb ownership.
Closes: https://lore.kernel.org/r/20260610153952.1685895-1-kuba@kernel.org/
> diff --git a/net/dsa/tag.c b/net/dsa/tag.c
> index 79ad105902d9..107e93250b94 100644
> --- a/net/dsa/tag.c
> +++ b/net/dsa/tag.c
> @@ -79,15 +79,16 @@ static int dsa_switch_rcv(struct sk_buff *skb, struct net_device *dev,
> if (likely(skb->dev)) {
> dsa_default_offload_fwd_mark(skb);
> nskb = skb;
> + } else {
> + /* Just drop the skb if we can't find the user */
> + kfree_skb(skb);
> }
> } else {
> nskb = cpu_dp->rcv(skb, dev);
> }
>
> - if (!nskb) {
> - kfree_skb(skb);
> + if (!nskb)
> return 0;
> - }
[Critical]
While the ->rcv() path in dsa_switch_rcv() is now consistent with the
new "consumer drops on failure" rule, the dsa_software_vlan_untag()
call later in the same function appears to still follow the old rule.
Can that produce a double-free?
The relevant block, unchanged by this patch, is:
if (unlikely(cpu_dp->ds->untag_bridge_pvid ||
cpu_dp->ds->untag_vlan_aware_bridge_pvid)) {
nskb = dsa_software_vlan_untag(skb);
if (!nskb) {
kfree_skb(skb);
return 0;
}
skb = nskb;
}
The only NULL return inside dsa_software_vlan_untag() is the
skb_vlan_untag() path in net/dsa/tag.h:
if (!skb_vlan_tag_present(skb) && skb->protocol == htons(proto)) {
skb = skb_vlan_untag(skb);
if (!skb)
return NULL;
}
skb_vlan_untag() in net/core/skbuff.c already frees on every error
path before returning NULL:
err_free:
kfree_skb(skb);
return NULL;
That is reachable on a malformed VLAN-tagged frame, for example
through the pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))
check, the skb_share_check() failure, or skb_reorder_vlan_header().
So when dsa_software_vlan_untag() returns NULL, the original skb
has already been freed by skb_vlan_untag(), and the kfree_skb(skb)
in dsa_switch_rcv() then operates on freed memory. Is this the
same anti-pattern the commit message describes as "conceptually
wrong: the pattern elsewhere in the networking code is that
consumers drop their skb:s on failure", and should this call site
also be converted (drop the kfree_skb(skb) here, since the helper
already consumes on failure)?
The path is reachable from any driver that sets
ds->untag_bridge_pvid or ds->untag_vlan_aware_bridge_pvid.
--
pw-bot: cr
prev parent reply other threads:[~2026-06-24 2:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 12:47 [PATCH net v4] net: dsa: Fix skb ownership in taggers Linus Walleij
2026-06-24 2:15 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624021546.2131211-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=UNGLinuxDriver@microchip.com \
--cc=andrew@lunn.ch \
--cc=angelogioacchino.delregno@collabora.com \
--cc=chester.a.unal@arinc9.com \
--cc=clement.leger@bootlin.com \
--cc=daniel@makrotopia.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=florian.fainelli@broadcom.com \
--cc=george.mccollister@gmail.com \
--cc=hauke@hauke-m.de \
--cc=horms@kernel.org \
--cc=jonas.gorski@gmail.com \
--cc=kurt@linutronix.de \
--cc=linusw@kernel.org \
--cc=matthias.bgg@gmail.com \
--cc=mmyangfl@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=sashiko-bot@kernel.org \
--cc=wei.fang@nxp.com \
--cc=woojung.huh@microchip.com \
--cc=xiaoning.wang@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox