| Message ID | 20210616144044.20693-1-linyyuan@codeaurora.org |
|---|---|
| State | New |
| Headers | show |
| Series | net: cdc_eem: fix tx fixup skb leak | expand |
On Wed, Jun 16, 2021 at 10:40:44PM +0800, Linyu Yuan wrote: > when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), > if skb_copy_expand() failed, it return NULL, > usbnet_start_xmit() will have no chance to free original skb. > > fix it by free orginal skb in eem_tx_fixup() first, > then check skb clone status, if failed, return NULL to usbnet. > > Signed-off-by: Linyu Yuan <linyyuan@codeaurora.org> > --- > drivers/net/usb/cdc_eem.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) What commit does this "Fix:"? Can you please add that to the signed-off-by area? thanks, greg k-h
diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c index 2e60bc1b9a6b..359ea0d10e59 100644 --- a/drivers/net/usb/cdc_eem.c +++ b/drivers/net/usb/cdc_eem.c @@ -123,10 +123,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, } skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); + dev_kfree_skb_any(skb); if (!skb2) return NULL; - dev_kfree_skb_any(skb); skb = skb2; done:
when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), if skb_copy_expand() failed, it return NULL, usbnet_start_xmit() will have no chance to free original skb. fix it by free orginal skb in eem_tx_fixup() first, then check skb clone status, if failed, return NULL to usbnet. Signed-off-by: Linyu Yuan <linyyuan@codeaurora.org> --- drivers/net/usb/cdc_eem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)