vxlan: Fix double free of skb.

In case of error vxlan_xmit_one() can free already freed skb. Also fixes memory leak of dst-entry. Fixes: acbf74a7630 ("vxlan: Refactor vxlan driver to make use of the common UDP tunnel functions"). Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pravin B Shelar <pshelar@nicira.com> 2014-12-23 19:20:36 -0500
committer: David S. Miller <davem@davemloft.net> 2014-12-23 23:57:31 -0500
commit: 74f47278cb056ffe1d261df3e094d608c3569829 (patch)
tree: f3db0334e66ecad72af35d47efac4f1a24edb736
parent: 997e068ebc17d8d57e735578df44b6341cd5f2f3 (diff)
1 files changed, 24 insertions, 10 deletions
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 49d9f2291998..7fbd89fbe107 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1579,8 +1579,10 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs,
        bool udp_sum = !udp_get_no_check6_tx(vs->sock->sk);
        skb = udp_tunnel_handle_offloads(skb, udp_sum);
-        if (IS_ERR(skb))
+        if (IS_ERR(skb)) {
-                return -EINVAL;
+                err = -EINVAL;
+                goto err;
+        }
        skb_scrub_packet(skb, xnet);
@@ -1590,12 +1592,16 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs,
        /* Need space for new headers (invalidates iph ptr) */
        err = skb_cow_head(skb, min_headroom);
-        if (unlikely(err))
+        if (unlikely(err)) {
-                return err;
+                kfree_skb(skb);
+                goto err;
+        }
        skb = vlan_hwaccel_push_inside(skb);
-        if (WARN_ON(!skb))
+        if (WARN_ON(!skb)) {
-                return -ENOMEM;
+                err = -ENOMEM;
+                goto err;
+        }
        vxh = (struct vxlanhdr *) __skb_push(skb, sizeof(*vxh));
        vxh->vx_flags = htonl(VXLAN_FLAGS);
@@ -1606,6 +1612,9 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs,
        udp_tunnel6_xmit_skb(vs->sock, dst, skb, dev, saddr, daddr, prio,
                             ttl, src_port, dst_port);
        return 0;
+err:
+        dst_release(dst);
+        return err;
 }
 #endif
@@ -1621,7 +1630,7 @@ int vxlan_xmit_skb(struct vxlan_sock *vs,
        skb = udp_tunnel_handle_offloads(skb, udp_sum);
        if (IS_ERR(skb))
-                return -EINVAL;
+                return PTR_ERR(skb);
        min_headroom = LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len
                        + VXLAN_HLEN + sizeof(struct iphdr)
@@ -1629,8 +1638,10 @@ int vxlan_xmit_skb(struct vxlan_sock *vs,
        /* Need space for new headers (invalidates iph ptr) */
        err = skb_cow_head(skb, min_headroom);
-        if (unlikely(err))
+        if (unlikely(err)) {
+                kfree_skb(skb);
                return err;
+        }
        skb = vlan_hwaccel_push_inside(skb);
        if (WARN_ON(!skb))
@@ -1776,9 +1787,12 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
                                     tos, ttl, df, src_port, dst_port,
                                     htonl(vni << 8),
                                     !net_eq(vxlan->net, dev_net(vxlan->dev)));
+                if (err < 0) {
-                if (err < 0)
+                        /* skb is already freed. */
+                        skb = NULL;
                        goto rt_tx_error;
+                }
                iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
 #if IS_ENABLED(CONFIG_IPV6)
        } else {
author	Pravin B Shelar <pshelar@nicira.com>	2014-12-23 19:20:36 -0500
committer	David S. Miller <davem@davemloft.net>	2014-12-23 23:57:31 -0500
commit	74f47278cb056ffe1d261df3e094d608c3569829 (patch)
tree	f3db0334e66ecad72af35d47efac4f1a24edb736
parent	997e068ebc17d8d57e735578df44b6341cd5f2f3 (diff)

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 49d9f2291998..7fbd89fbe107 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c
@@ -1579,8 +1579,10 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs,
1579	bool udp_sum = !udp_get_no_check6_tx(vs->sock->sk);	1579	bool udp_sum = !udp_get_no_check6_tx(vs->sock->sk);
1580		1580
1581	skb = udp_tunnel_handle_offloads(skb, udp_sum);	1581	skb = udp_tunnel_handle_offloads(skb, udp_sum);
1582	if (IS_ERR(skb))	1582	if (IS_ERR(skb)) {
1583	return -EINVAL;	1583	err = -EINVAL;
		1584	goto err;
		1585	}
1584		1586
1585	skb_scrub_packet(skb, xnet);	1587	skb_scrub_packet(skb, xnet);
1586		1588
@@ -1590,12 +1592,16 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs,
1590		1592
1591	/* Need space for new headers (invalidates iph ptr) */	1593	/* Need space for new headers (invalidates iph ptr) */
1592	err = skb_cow_head(skb, min_headroom);	1594	err = skb_cow_head(skb, min_headroom);
1593	if (unlikely(err))	1595	if (unlikely(err)) {
1594	return err;	1596	kfree_skb(skb);
		1597	goto err;
		1598	}
1595		1599
1596	skb = vlan_hwaccel_push_inside(skb);	1600	skb = vlan_hwaccel_push_inside(skb);
1597	if (WARN_ON(!skb))	1601	if (WARN_ON(!skb)) {
1598	return -ENOMEM;	1602	err = -ENOMEM;
		1603	goto err;
		1604	}
1599		1605
1600	vxh = (struct vxlanhdr ) __skb_push(skb, sizeof(vxh));	1606	vxh = (struct vxlanhdr ) __skb_push(skb, sizeof(vxh));
1601	vxh->vx_flags = htonl(VXLAN_FLAGS);	1607	vxh->vx_flags = htonl(VXLAN_FLAGS);
@@ -1606,6 +1612,9 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs,
1606	udp_tunnel6_xmit_skb(vs->sock, dst, skb, dev, saddr, daddr, prio,	1612	udp_tunnel6_xmit_skb(vs->sock, dst, skb, dev, saddr, daddr, prio,
1607	ttl, src_port, dst_port);	1613	ttl, src_port, dst_port);
1608	return 0;	1614	return 0;
		1615	err:
		1616	dst_release(dst);
		1617	return err;
1609	}	1618	}
1610	#endif	1619	#endif
1611		1620
@@ -1621,7 +1630,7 @@ int vxlan_xmit_skb(struct vxlan_sock *vs,
1621		1630
1622	skb = udp_tunnel_handle_offloads(skb, udp_sum);	1631	skb = udp_tunnel_handle_offloads(skb, udp_sum);
1623	if (IS_ERR(skb))	1632	if (IS_ERR(skb))
1624	return -EINVAL;	1633	return PTR_ERR(skb);
1625		1634
1626	min_headroom = LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len	1635	min_headroom = LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len
1627	+ VXLAN_HLEN + sizeof(struct iphdr)	1636	+ VXLAN_HLEN + sizeof(struct iphdr)
@@ -1629,8 +1638,10 @@ int vxlan_xmit_skb(struct vxlan_sock *vs,
1629		1638
1630	/* Need space for new headers (invalidates iph ptr) */	1639	/* Need space for new headers (invalidates iph ptr) */
1631	err = skb_cow_head(skb, min_headroom);	1640	err = skb_cow_head(skb, min_headroom);
1632	if (unlikely(err))	1641	if (unlikely(err)) {
		1642	kfree_skb(skb);
1633	return err;	1643	return err;
		1644	}
1634		1645
1635	skb = vlan_hwaccel_push_inside(skb);	1646	skb = vlan_hwaccel_push_inside(skb);
1636	if (WARN_ON(!skb))	1647	if (WARN_ON(!skb))
@@ -1776,9 +1787,12 @@ static void vxlan_xmit_one(struct sk_buff skb, struct net_device dev,
1776	tos, ttl, df, src_port, dst_port,	1787	tos, ttl, df, src_port, dst_port,
1777	htonl(vni << 8),	1788	htonl(vni << 8),
1778	!net_eq(vxlan->net, dev_net(vxlan->dev)));	1789	!net_eq(vxlan->net, dev_net(vxlan->dev)));
1779		1790	if (err < 0) {
1780	if (err < 0)	1791	/* skb is already freed. */
		1792	skb = NULL;
1781	goto rt_tx_error;	1793	goto rt_tx_error;
		1794	}
		1795
1782	iptunnel_xmit_stats(err, &dev->stats, dev->tstats);	1796	iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
1783	#if IS_ENABLED(CONFIG_IPV6)	1797	#if IS_ENABLED(CONFIG_IPV6)
1784	} else {	1798	} else {