xen-netback: Fix releasing frag_list skbs in error path

When the grant operations failed, the skb is freed up eventually, and it tries
to release the frags, if there is any. For the main skb nr_frags is set to 0 to
avoid this, but on the frag_list it iterates through the frags array, and tries
to call put_page on the page pointer which contains garbage at that time.

Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
Reported-by: Armin Zentai <armin.zentai@ezit.hu>
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: xen-devel@lists.xenproject.org
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 9 insertions, 0 deletions

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index a773f2016bad..8cbf60d4689e 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -1521,7 +1521,16 @@ static int xenvif_tx_submit(struct xenvif_queue *queue)
 
                 /* Check the remap error code. */
                 if (unlikely(xenvif_tx_check_gop(queue, skb, &gop_map, &gop_copy))) {
+                        /* If there was an error, xenvif_tx_check_gop is
+                         * expected to release all the frags which were mapped,
+                         * so kfree_skb shouldn't do it again
+                         */
                         skb_shinfo(skb)->nr_frags = 0;
+                        if (skb_has_frag_list(skb)) {
+                                struct sk_buff *nskb =
+                                                skb_shinfo(skb)->frag_list;
+                                skb_shinfo(nskb)->nr_frags = 0;
+                        }
                         kfree_skb(skb);
                         continue;
                 }