Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
af_packet: Don't use skb after dev_queue_xmit()
tpacket_snd() can change and kfree an skb after dev_queue_xmit(),
which is illegal.
With debugging by: Stephen Hemminger <shemminger@vyatta.com>
Reported-by: Michael Breuer <mbreuer@majjas.com>
With help from: David S. Miller <davem@davemloft.net>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Tested-by: Michael Breuer<mbreuer@majjas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
authored by Jarek Poplawski and committed by David S. Miller eb70df13 fa15e99b
+14
-5
net/packet/af_packet.c
+14
-5
net/packet/af_packet.c
···
1021
1021
1022
1022
status = TP_STATUS_SEND_REQUEST;
1023
1023
err = dev_queue_xmit(skb);
1024
-
if (unlikely(err > 0 && (err = net_xmit_errno(err)) != 0))
1025
-
goto out_xmit;
1024
+
if (unlikely(err > 0)) {
1025
+
err = net_xmit_errno(err);
1026
+
if (err && __packet_get_status(po, ph) ==
1027
+
TP_STATUS_AVAILABLE) {
1028
+
/* skb was destructed already */
1029
+
skb = NULL;
1030
+
goto out_status;
1031
+
}
1032
+
/*
1033
+
* skb was dropped but not destructed yet;
1034
+
* let's treat it like congestion or err < 0
1035
+
*/
1036
+
err = 0;
1037
+
}
1026
1038
packet_increment_head(&po->tx_ring);
1027
1039
len_sum += tp_len;
1028
1040
} while (likely((ph != NULL) ||
···
1045
1033
err = len_sum;
1046
1034
goto out_put;
1047
1035
1048
-
out_xmit:
1049
-
skb->destructor = sock_wfree;
1050
-
atomic_dec(&po->tx_ring.pending);
1051
1036
out_status:
1052
1037
__packet_set_status(po, ph, status);
1053
1038
kfree_skb(skb);