Prev: [62/74] be2net: Bug fix to support newer generation of BE ASIC
Next: [02/74] [SCSI] mptsas: Fix issue with chain pools allocation on katmai
From: Greg KH on 4 Feb 2010 12:40
2.6.32-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jarek Poplawski <jarkao2(a)gmail.com>

[ Upstream commit eb70df13ee52dbc0f2c0ffd8ed34a8cd27440baf ]

tpacket_snd() can change and kfree an skb after dev_queue_xmit(),
which is illegal.

With debugging by: Stephen Hemminger <shemminger(a)vyatta.com>

Reported-by: Michael Breuer <mbreuer(a)majjas.com>
With help from: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Jarek Poplawski <jarkao2(a)gmail.com>
Tested-by: Michael Breuer<mbreuer(a)majjas.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de>

---
net/packet/af_packet.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1028,8 +1028,20 @@ static int tpacket_snd(struct packet_soc

status = TP_STATUS_SEND_REQUEST;
err = dev_queue_xmit(skb);
- if (unlikely(err > 0 && (err = net_xmit_errno(err)) != 0))
- goto out_xmit;
+ if (unlikely(err > 0)) {
+ err = net_xmit_errno(err);
+ if (err && __packet_get_status(po, ph) ==
+ TP_STATUS_AVAILABLE) {
+ /* skb was destructed already */
+ skb = NULL;
+ goto out_status;
+ }
+ /*
+ * skb was dropped but not destructed yet;
+ * let's treat it like congestion or err < 0
+ */
+ err = 0;
+ }
packet_increment_head(&po->tx_ring);
len_sum += tp_len;
} while (likely((ph != NULL) || ((!(msg->msg_flags & MSG_DONTWAIT))
@@ -1039,9 +1051,6 @@ static int tpacket_snd(struct packet_soc
err = len_sum;
goto out_put;

-out_xmit:
- skb->destructor = sock_wfree;
- atomic_dec(&po->tx_ring.pending);
out_status:
__packet_set_status(po, ph, status);
kfree_skb(skb);


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [62/74] be2net: Bug fix to support newer generation of BE ASIC
Next: [02/74] [SCSI] mptsas: Fix issue with chain pools allocation on katmai