When should kfree_skb be used?

When should kfree_skb be used?

[Paul Marks]

Hi, I'm trying to make sense of the ipip6_rcv function here:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=net/ipv6/sit.c;hb=HEAD#l564

Specifically, why is kfree_skb called when pskb_may_pull(...) returns
true, but not called when it returns false?  Is there something in the
code path which increments the skb's reference count that I'm not
noticing?

Re: When should kfree_skb be used?

[Paul Marks]

On Thu, May 8, 2008 at 9:49 PM, Paul Marks <paul@pmarks.net> wrote:
> Hi, I'm trying to make sense of the ipip6_rcv function here:
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=net/ipv6/sit.c;hb=HEAD#l564
>

I've been looking at more uses of pskb_may_pull(), and almost all of
them seem to kfree_skb() after a failure.  Could this occurence in
sit.c be a bug?  It looks like this line was added by davem for linux
2.4.4 in 2001, and hasn't changed since.

Re: When should kfree_skb be used?

[David Miller]

From: "Paul Marks" <paul@pmarks.net>
Date: Thu, 8 May 2008 23:34:59 -0700

> I've been looking at more uses of pskb_may_pull(), and almost all of
> them seem to kfree_skb() after a failure.  Could this occurence in
> sit.c be a bug?  It looks like this line was added by davem for linux
> 2.4.4 in 2001, and hasn't changed since.

Yep, looks like a leak.  The following should fix it, thanks
for the report:

>From 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02 Mon Sep 17 00:00:00 2001
From: David S. Miller <davem@davemloft.net>
Date: Thu, 8 May 2008 23:40:26 -0700
Subject: [PATCH] sit: Add missing kfree_skb() on pskb_may_pull() failure.

Noticed by Paul Marks <paul@pmarks.net>.

Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv6/sit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 4b2f103..5a6fab9 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -596,9 +596,9 @@ static int ipip6_rcv(struct sk_buff *skb)
 	}
 
 	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
-	kfree_skb(skb);
 	read_unlock(&ipip6_lock);
 out:
+	kfree_skb(skb);
 	return 0;
 }
 
-- 
1.5.5.1.57.g5909c

Re: When should kfree_skb be used?

[Paul Marks]

On Thu, May 8, 2008 at 11:41 PM, David Miller <davem@davemloft.net> wrote:
> From: "Paul Marks" <paul@pmarks.net>
> Date: Thu, 8 May 2008 23:34:59 -0700
>
>> I've been looking at more uses of pskb_may_pull(), and almost all of
>> them seem to kfree_skb() after a failure.  Could this occurence in
>> sit.c be a bug?  It looks like this line was added by davem for linux
>> 2.4.4 in 2001, and hasn't changed since.
>
> Yep, looks like a leak.  The following should fix it, thanks
> for the report:
>

Ok, cool, that makes more sense now.