| Message ID | 20210616233232.4561-1-linyyuan@codeaurora.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] net: cdc_eem: fix tx fixup skb leak | expand |
On Thu, Jun 17, 2021 at 07:32:32AM +0800, Linyu Yuan wrote: > when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), > if skb_copy_expand() failed, it return NULL, > usbnet_start_xmit() will have no chance to free original skb. > > fix it by free orginal skb in eem_tx_fixup() first, > then check skb clone status, if failed, return NULL to usbnet. > > Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)") > Signed-off-by: Linyu Yuan <linyyuan@codeaurora.org> > --- > > v2: add Fixes tag > > drivers/net/usb/cdc_eem.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c > index 2e60bc1b9a6b..359ea0d10e59 100644 > --- a/drivers/net/usb/cdc_eem.c > +++ b/drivers/net/usb/cdc_eem.c > @@ -123,10 +123,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, > } > > skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); > + dev_kfree_skb_any(skb); > if (!skb2) > return NULL; > > - dev_kfree_skb_any(skb); > skb = skb2; > > done: > -- > 2.25.1 > Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Thu, 17 Jun 2021 07:32:32 +0800 you wrote: > when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), > if skb_copy_expand() failed, it return NULL, > usbnet_start_xmit() will have no chance to free original skb. > > fix it by free orginal skb in eem_tx_fixup() first, > then check skb clone status, if failed, return NULL to usbnet. > > [...] Here is the summary with links: - [v2] net: cdc_eem: fix tx fixup skb leak https://git.kernel.org/netdev/net/c/c3b26fdf1b32 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c index 2e60bc1b9a6b..359ea0d10e59 100644 --- a/drivers/net/usb/cdc_eem.c +++ b/drivers/net/usb/cdc_eem.c @@ -123,10 +123,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, } skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); + dev_kfree_skb_any(skb); if (!skb2) return NULL; - dev_kfree_skb_any(skb); skb = skb2; done:
when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), if skb_copy_expand() failed, it return NULL, usbnet_start_xmit() will have no chance to free original skb. fix it by free orginal skb in eem_tx_fixup() first, then check skb clone status, if failed, return NULL to usbnet. Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)") Signed-off-by: Linyu Yuan <linyyuan@codeaurora.org> --- v2: add Fixes tag drivers/net/usb/cdc_eem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)