From patchwork Mon Jun 24 13:26:00 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 253835
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 6B8602C007B
	for <patchwork-incoming@ozlabs.org>;
	Mon, 24 Jun 2013 23:26:05 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750899Ab3FXN0A (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 24 Jun 2013 09:26:00 -0400
Received: from mail-ea0-f175.google.com ([209.85.215.175]:45982 "EHLO
	mail-ea0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750797Ab3FXNZ7 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 24 Jun 2013 09:25:59 -0400
Received: by mail-ea0-f175.google.com with SMTP id z7so6069986eaf.34
	for <netdev@vger.kernel.org>; Mon, 24 Jun 2013 06:25:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=message-id:subject:from:to:cc:date:content-type:x-mailer
	:content-transfer-encoding:mime-version;
	bh=5PuH/DkP70UscxeMjU7FE1o6noP23/Ck8d4BSp1J1/w=;
	b=XhNBrRQSoa5RFFAH01rAu5Qw98TwVcye+n4ar59YioRo8JHTu+Ihoq9jecaic/WsiH
	WkU/XZL6351Mnc8/Tvyb7plvsIXdDIhdHxOejmBNjnEiPClYiAA68ut2OW2v2zD7m38G
	GXl1EBL3nj6x/MOV7x6wLM8GgAf57mNfgCFWmwoHwN77eNbD/hAxgoSWi2wrcxQMAFz8
	Cz7i4U5UbXDLh46HN0cB5aXstwXhSET5nC8luoB/Bu3orv8DkAF3AreJdcX34ZIqJyQK
	0DNPFxzzSnMLnTEyCGZCaTOLyDHmCj1oCCSL3IrRp67m5BaCk+LholLQLNi3oJRWYEA0
	ZHAQ==
X-Received: by 10.14.47.73 with SMTP id s49mr24956951eeb.71.1372080357757;
	Mon, 24 Jun 2013 06:25:57 -0700 (PDT)
Received: from [172.28.88.255] ([172.28.88.255])
	by mx.google.com with ESMTPSA id
	bj46sm28425697eeb.13.2013.06.24.06.25.55 for <multiple recipients>
	(version=SSLv3 cipher=RC4-SHA bits=128/128);
	Mon, 24 Jun 2013 06:25:56 -0700 (PDT)
Message-ID: <1372080360.3301.61.camel@edumazet-glaptop>
Subject: [PATCH] gre: fix a possible skb leak
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>, Pravin B Shelar <pshelar@nicira.com>,
	Daniel Borkmann <dborkman@redhat.com>
Date: Mon, 24 Jun 2013 06:26:00 -0700
X-Mailer: Evolution 3.2.3-0ubuntu6 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

commit 68c331631143 ("v4 GRE: Add TCP segmentation offload for GRE")
added a possible skb leak, because it frees only the head of segment
list, in case a skb_linearize() call fails.

This patch adds a kfree_skb_list() helper to fix the bug.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Cc: Daniel Borkmann <dborkman@redhat.com>
---
 include/linux/skbuff.h |    1 +
 net/core/skbuff.c      |   20 ++++++++++++--------
 net/ipv4/gre.c         |    2 +-
 3 files changed, 14 insertions(+), 9 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 9c676eae..dec1748 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -627,6 +627,7 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
 }
 
 extern void kfree_skb(struct sk_buff *skb);
+extern void kfree_skb_list(struct sk_buff *segs);
 extern void skb_tx_error(struct sk_buff *skb);
 extern void consume_skb(struct sk_buff *skb);
 extern void	       __kfree_skb(struct sk_buff *skb);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index cfd777b..1c1738c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -483,15 +483,8 @@ EXPORT_SYMBOL(skb_add_rx_frag);
 
 static void skb_drop_list(struct sk_buff **listp)
 {
-	struct sk_buff *list = *listp;
-
+	kfree_skb_list(*listp);
 	*listp = NULL;
-
-	do {
-		struct sk_buff *this = list;
-		list = list->next;
-		kfree_skb(this);
-	} while (list);
 }
 
 static inline void skb_drop_fraglist(struct sk_buff *skb)
@@ -651,6 +644,17 @@ void kfree_skb(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(kfree_skb);
 
+void kfree_skb_list(struct sk_buff *segs)
+{
+	while (segs) {
+		struct sk_buff *next = segs->next;
+
+		kfree_skb(segs);
+		segs = next;
+	}
+}
+EXPORT_SYMBOL(kfree_skb_list);
+
 /**
  *	skb_tx_error - report an sk_buff xmit error
  *	@skb: buffer that triggered an error
diff --git a/net/ipv4/gre.c b/net/ipv4/gre.c
index b2e805a..7856d16 100644
--- a/net/ipv4/gre.c
+++ b/net/ipv4/gre.c
@@ -178,7 +178,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
 
 				err = __skb_linearize(skb);
 				if (err) {
-					kfree_skb(segs);
+					kfree_skb_list(segs);
 					segs = ERR_PTR(err);
 					goto out;
 				}