| Message ID | 20170723175447.28431-1-fw@strlen.de |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Florian Westphal <fw@strlen.de> Date: Sun, 23 Jul 2017 19:54:47 +0200 > A null check is needed after all. netlink skbs can have skb->head be > backed by vmalloc. The netlink destructor vfree()s head, then sets it to > NULL. We then panic in skb_release_data with a NULL dereference. > > Re-add such a test. > > Alternative would be to switch to kvfree to free skb->head memory > and remove the special handling in netlink destructor. > > Reported-by: kernel test robot <fengguang.wu@intel.com> > Fixes: 06dc75ab06943 ("net: Revert "net: add function to allocate sk_buff head without data area") > Signed-off-by: Florian Westphal <fw@strlen.de> Ok, back it goes. Applied, thanks.
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 84bdfa2..c27da51 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -638,7 +638,8 @@ void skb_release_head_state(struct sk_buff *skb) static void skb_release_all(struct sk_buff *skb) { skb_release_head_state(skb); - skb_release_data(skb); + if (likely(skb->head)) + skb_release_data(skb); } /**
A null check is needed after all. netlink skbs can have skb->head be backed by vmalloc. The netlink destructor vfree()s head, then sets it to NULL. We then panic in skb_release_data with a NULL dereference. Re-add such a test. Alternative would be to switch to kvfree to free skb->head memory and remove the special handling in netlink destructor. Reported-by: kernel test robot <fengguang.wu@intel.com> Fixes: 06dc75ab06943 ("net: Revert "net: add function to allocate sk_buff head without data area") Signed-off-by: Florian Westphal <fw@strlen.de> --- net/core/skbuff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)