| Message ID | 20240220081053.1439104-1-jk@codeconstruct.com.au (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 3773d65ae5154ed7df404b050fd7387a36ab5ef3 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next,v2] net: mctp: take ownership of skb in mctp_local_output | expand |
On Tue, Feb 20, 2024 at 04:10:53PM +0800, Jeremy Kerr wrote: > Currently, mctp_local_output only takes ownership of skb on success, and > we may leak an skb if mctp_local_output fails in specific states; the > skb ownership isn't transferred until the actual output routing occurs. > > Instead, make mctp_local_output free the skb on all error paths up to > the route action, so it always consumes the passed skb. > > Fixes: 833ef3b91de6 ("mctp: Populate socket implementation") > Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au> > > --- > v2: > - retain EINVAL return code in !rt && !ifindex case. Based on feedback > from Simon Horman <horms@kernel.org>. Hi Jeremy, Thanks for the update. This one looks good to me. Reviewed-by: Simon Horman <horms@kernel.org>
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Tue, 20 Feb 2024 16:10:53 +0800 you wrote: > Currently, mctp_local_output only takes ownership of skb on success, and > we may leak an skb if mctp_local_output fails in specific states; the > skb ownership isn't transferred until the actual output routing occurs. > > Instead, make mctp_local_output free the skb on all error paths up to > the route action, so it always consumes the passed skb. > > [...] Here is the summary with links: - [net-next,v2] net: mctp: take ownership of skb in mctp_local_output https://git.kernel.org/netdev/net/c/3773d65ae515 You are awesome, thank you!
diff --git a/include/net/mctp.h b/include/net/mctp.h index da86e106c91d..2bff5f47ce82 100644 --- a/include/net/mctp.h +++ b/include/net/mctp.h @@ -249,6 +249,7 @@ struct mctp_route { struct mctp_route *mctp_route_lookup(struct net *net, unsigned int dnet, mctp_eid_t daddr); +/* always takes ownership of skb */ int mctp_local_output(struct sock *sk, struct mctp_route *rt, struct sk_buff *skb, mctp_eid_t daddr, u8 req_tag); diff --git a/net/mctp/route.c b/net/mctp/route.c index 7a47a58aa54b..d0c43812bec3 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -888,7 +888,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt, dev = dev_get_by_index_rcu(sock_net(sk), cb->ifindex); if (!dev) { rcu_read_unlock(); - return rc; + goto out_free; } rt->dev = __mctp_dev_get(dev); rcu_read_unlock(); @@ -903,7 +903,8 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt, rt->mtu = 0; } else { - return -EINVAL; + rc = -EINVAL; + goto out_free; } spin_lock_irqsave(&rt->dev->addrs_lock, flags); @@ -966,12 +967,17 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt, rc = mctp_do_fragment_route(rt, skb, mtu, tag); } + /* route output functions consume the skb, even on error */ + skb = NULL; + out_release: if (!ext_rt) mctp_route_release(rt); mctp_dev_put(tmp_rt.dev); +out_free: + kfree_skb(skb); return rc; }
Currently, mctp_local_output only takes ownership of skb on success, and we may leak an skb if mctp_local_output fails in specific states; the skb ownership isn't transferred until the actual output routing occurs. Instead, make mctp_local_output free the skb on all error paths up to the route action, so it always consumes the passed skb. Fixes: 833ef3b91de6 ("mctp: Populate socket implementation") Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au> --- v2: - retain EINVAL return code in !rt && !ifindex case. Based on feedback from Simon Horman <horms@kernel.org>. --- include/net/mctp.h | 1 + net/mctp/route.c | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-)