From: Zoltan Kiss Date: Fri, 18 Jul 2014 18:08:03 +0000 (+0100) Subject: xen-netback: Fix releasing frag_list skbs in error path X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b42cc6e421e7bf74e545483aa34b99d2a2ca6d3a;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git xen-netback: Fix releasing frag_list skbs in error path When the grant operations failed, the skb is freed up eventually, and it tries to release the frags, if there is any. For the main skb nr_frags is set to 0 to avoid this, but on the frag_list it iterates through the frags array, and tries to call put_page on the page pointer which contains garbage at that time. Signed-off-by: Zoltan Kiss Reported-by: Armin Zentai Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: xen-devel@lists.xenproject.org Signed-off-by: David S. Miller --- diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index a773f2016bad..8cbf60d4689e 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -1521,7 +1521,16 @@ static int xenvif_tx_submit(struct xenvif_queue *queue) /* Check the remap error code. */ if (unlikely(xenvif_tx_check_gop(queue, skb, &gop_map, &gop_copy))) { + /* If there was an error, xenvif_tx_check_gop is + * expected to release all the frags which were mapped, + * so kfree_skb shouldn't do it again + */ skb_shinfo(skb)->nr_frags = 0; + if (skb_has_frag_list(skb)) { + struct sk_buff *nskb = + skb_shinfo(skb)->frag_list; + skb_shinfo(nskb)->nr_frags = 0; + } kfree_skb(skb); continue; }