]>
Commit | Line | Data |
---|---|---|
59d5af67 | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
ddad99c9 FG |
2 | From: Wei Xu <wexu@redhat.com> |
3 | Date: Fri, 1 Dec 2017 05:10:38 -0500 | |
59d5af67 | 4 | Subject: [PATCH] tap: free skb if flags error |
ddad99c9 FG |
5 | MIME-Version: 1.0 |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | tap_recvmsg() supports accepting skb by msg_control after | |
10 | commit 3b4ba04acca8 ("tap: support receiving skb from msg_control"), | |
11 | the skb if presented should be freed within the function, otherwise | |
12 | it would be leaked. | |
13 | ||
14 | Signed-off-by: Wei Xu <wexu@redhat.com> | |
15 | Reported-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com> | |
16 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
17 | --- | |
18 | drivers/net/tap.c | 14 ++++++++++---- | |
19 | 1 file changed, 10 insertions(+), 4 deletions(-) | |
20 | ||
21 | diff --git a/drivers/net/tap.c b/drivers/net/tap.c | |
22 | index 3570c7576993..4e04b6094f3c 100644 | |
23 | --- a/drivers/net/tap.c | |
24 | +++ b/drivers/net/tap.c | |
25 | @@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q, | |
26 | DEFINE_WAIT(wait); | |
27 | ssize_t ret = 0; | |
28 | ||
29 | - if (!iov_iter_count(to)) | |
30 | + if (!iov_iter_count(to)) { | |
31 | + if (skb) | |
32 | + kfree_skb(skb); | |
33 | return 0; | |
34 | + } | |
35 | ||
36 | if (skb) | |
37 | goto put; | |
38 | @@ -1155,11 +1158,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m, | |
39 | size_t total_len, int flags) | |
40 | { | |
41 | struct tap_queue *q = container_of(sock, struct tap_queue, sock); | |
42 | + struct sk_buff *skb = m->msg_control; | |
43 | int ret; | |
44 | - if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) | |
45 | + if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) { | |
46 | + if (skb) | |
47 | + kfree_skb(skb); | |
48 | return -EINVAL; | |
49 | - ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, | |
50 | - m->msg_control); | |
51 | + } | |
52 | + ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, skb); | |
53 | if (ret > total_len) { | |
54 | m->msg_flags |= MSG_TRUNC; | |
55 | ret = flags & MSG_TRUNC ? ret : total_len; | |
56 | -- | |
57 | 2.14.2 | |
58 |