| Message ID | 20210328075008.4770-1-lyl2019@mail.ustc.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit | expand |
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Sun, 28 Mar 2021 00:50:08 -0700 you wrote: > In pvc_xmit, if __skb_pad(skb, pad, false) failed, it will free > the skb in the first time and goto drop. But the same skb is freed > by kfree_skb(skb) in the second time in drop. > > Maintaining the original function unchanged, my patch adds a new > label out to avoid the double free if __skb_pad() failed. > > [...] Here is the summary with links: - drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit https://git.kernel.org/netdev/net/c/1b479fb80160 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
> In pvc_xmit, if __skb_pad(skb, pad, false) failed, it will free > the skb in the first time and goto drop. But the same skb is freed > by kfree_skb(skb) in the second time in drop. > > Maintaining the original function unchanged, my patch adds a new > label out to avoid the double free if __skb_pad() failed. > > Fixes: f5083d0cee08a ("drivers/net/wan/hdlc_fr: Improvements to the code of pvc_xmit") > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> > --- > drivers/net/wan/hdlc_fr.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c > index 0720f5f92caa..4d9dc7d15908 100644 > --- a/drivers/net/wan/hdlc_fr.c > +++ b/drivers/net/wan/hdlc_fr.c > @@ -415,7 +415,7 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev) > > if (pad > 0) { /* Pad the frame with zeros */ > if (__skb_pad(skb, pad, false)) > - goto drop; > + goto out; > skb_put(skb, pad); > } > } > @@ -448,8 +448,9 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev) > return NETDEV_TX_OK; > > drop: > - dev->stats.tx_dropped++; > kfree_skb(skb); > +out: > + dev->stats.tx_dropped++; > return NETDEV_TX_OK; > } > 1. This patch is incorrect. "__skb_pad" will NOT free the skb on failure when its "free_on_error" parameter is "false". 2. If you think you fix my commit, please CC me so that I can review your patch. I have sent another patch to revert this.
diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c index 0720f5f92caa..4d9dc7d15908 100644 --- a/drivers/net/wan/hdlc_fr.c +++ b/drivers/net/wan/hdlc_fr.c @@ -415,7 +415,7 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev) if (pad > 0) { /* Pad the frame with zeros */ if (__skb_pad(skb, pad, false)) - goto drop; + goto out; skb_put(skb, pad); } } @@ -448,8 +448,9 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev) return NETDEV_TX_OK; drop: - dev->stats.tx_dropped++; kfree_skb(skb); +out: + dev->stats.tx_dropped++; return NETDEV_TX_OK; }
In pvc_xmit, if __skb_pad(skb, pad, false) failed, it will free the skb in the first time and goto drop. But the same skb is freed by kfree_skb(skb) in the second time in drop. Maintaining the original function unchanged, my patch adds a new label out to avoid the double free if __skb_pad() failed. Fixes: f5083d0cee08a ("drivers/net/wan/hdlc_fr: Improvements to the code of pvc_xmit") Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> --- drivers/net/wan/hdlc_fr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)