udp: drop head states only when all skb references are gone
authorPaolo Abeni <pabeni@redhat.com>
Wed, 6 Sep 2017 12:44:36 +0000 (14:44 +0200)
committerDavid S. Miller <davem@davemloft.net>
Fri, 8 Sep 2017 03:02:39 +0000 (20:02 -0700)
After commit 0ddf3fb2c43d ("udp: preserve skb->dst if required
for IP options processing") we clear the skb head state as soon
as the skb carrying them is first processed.

Since the same skb can be processed several times when MSG_PEEK
is used, we can end up lacking the required head states, and
eventually oopsing.

Fix this clearing the skb head state only when processing the
last skb reference.

Reported-by: Eric Dumazet <edumazet@google.com>
Fixes: 0ddf3fb2c43d ("udp: preserve skb->dst if required for IP options processing")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/skbuff.h
net/core/skbuff.c
net/ipv4/udp.c

index f751f3b930391d02b7b0f2c2d3852de64b46b920..72299ef00061db1ce70d34b96ae1639ecde08837 100644 (file)
@@ -958,7 +958,7 @@ void kfree_skb(struct sk_buff *skb);
 void kfree_skb_list(struct sk_buff *segs);
 void skb_tx_error(struct sk_buff *skb);
 void consume_skb(struct sk_buff *skb);
-void consume_stateless_skb(struct sk_buff *skb);
+void __consume_stateless_skb(struct sk_buff *skb);
 void  __kfree_skb(struct sk_buff *skb);
 extern struct kmem_cache *skbuff_head_cache;
 
index 68065d7d383fa6bb477ac690a926d9d86db65bc9..16982de649b97b92423a4f9f5eac1e98ca803370 100644 (file)
@@ -710,14 +710,11 @@ EXPORT_SYMBOL(consume_skb);
  *     consume_stateless_skb - free an skbuff, assuming it is stateless
  *     @skb: buffer to free
  *
- *     Works like consume_skb(), but this variant assumes that all the head
- *     states have been already dropped.
+ *     Alike consume_skb(), but this variant assumes that this is the last
+ *     skb reference and all the head states have been already dropped
  */
-void consume_stateless_skb(struct sk_buff *skb)
+void __consume_stateless_skb(struct sk_buff *skb)
 {
-       if (!skb_unref(skb))
-               return;
-
        trace_consume_skb(skb);
        skb_release_data(skb);
        kfree_skbmem(skb);
index db1c9e78c83c7fb0aba67114c5909c583e618a0a..ef29df8648e4d388547269fe6f972e8ab473419e 100644 (file)
@@ -1397,12 +1397,15 @@ void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len)
                unlock_sock_fast(sk, slow);
        }
 
+       if (!skb_unref(skb))
+               return;
+
        /* In the more common cases we cleared the head states previously,
         * see __udp_queue_rcv_skb().
         */
        if (unlikely(udp_skb_has_head_state(skb)))
                skb_release_head_state(skb);
-       consume_stateless_skb(skb);
+       __consume_stateless_skb(skb);
 }
 EXPORT_SYMBOL_GPL(skb_consume_udp);