diff options
| author | Pravin B Shelar <pshelar@nicira.com> | 2014-12-23 19:20:36 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-12-23 23:57:31 -0500 |
| commit | 74f47278cb056ffe1d261df3e094d608c3569829 (patch) | |
| tree | f3db0334e66ecad72af35d47efac4f1a24edb736 /drivers/net | |
| parent | 997e068ebc17d8d57e735578df44b6341cd5f2f3 (diff) | |
vxlan: Fix double free of skb.
In case of error vxlan_xmit_one() can free already freed skb.
Also fixes memory leak of dst-entry.
Fixes: acbf74a7630 ("vxlan: Refactor vxlan driver to make use
of the common UDP tunnel functions").
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net')
| -rw-r--r-- | drivers/net/vxlan.c | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 49d9f2291998..7fbd89fbe107 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c | |||
| @@ -1579,8 +1579,10 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs, | |||
| 1579 | bool udp_sum = !udp_get_no_check6_tx(vs->sock->sk); | 1579 | bool udp_sum = !udp_get_no_check6_tx(vs->sock->sk); |
| 1580 | 1580 | ||
| 1581 | skb = udp_tunnel_handle_offloads(skb, udp_sum); | 1581 | skb = udp_tunnel_handle_offloads(skb, udp_sum); |
| 1582 | if (IS_ERR(skb)) | 1582 | if (IS_ERR(skb)) { |
| 1583 | return -EINVAL; | 1583 | err = -EINVAL; |
| 1584 | goto err; | ||
| 1585 | } | ||
| 1584 | 1586 | ||
| 1585 | skb_scrub_packet(skb, xnet); | 1587 | skb_scrub_packet(skb, xnet); |
| 1586 | 1588 | ||
| @@ -1590,12 +1592,16 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs, | |||
| 1590 | 1592 | ||
| 1591 | /* Need space for new headers (invalidates iph ptr) */ | 1593 | /* Need space for new headers (invalidates iph ptr) */ |
| 1592 | err = skb_cow_head(skb, min_headroom); | 1594 | err = skb_cow_head(skb, min_headroom); |
| 1593 | if (unlikely(err)) | 1595 | if (unlikely(err)) { |
| 1594 | return err; | 1596 | kfree_skb(skb); |
| 1597 | goto err; | ||
| 1598 | } | ||
| 1595 | 1599 | ||
| 1596 | skb = vlan_hwaccel_push_inside(skb); | 1600 | skb = vlan_hwaccel_push_inside(skb); |
| 1597 | if (WARN_ON(!skb)) | 1601 | if (WARN_ON(!skb)) { |
| 1598 | return -ENOMEM; | 1602 | err = -ENOMEM; |
| 1603 | goto err; | ||
| 1604 | } | ||
| 1599 | 1605 | ||
| 1600 | vxh = (struct vxlanhdr *) __skb_push(skb, sizeof(*vxh)); | 1606 | vxh = (struct vxlanhdr *) __skb_push(skb, sizeof(*vxh)); |
| 1601 | vxh->vx_flags = htonl(VXLAN_FLAGS); | 1607 | vxh->vx_flags = htonl(VXLAN_FLAGS); |
| @@ -1606,6 +1612,9 @@ static int vxlan6_xmit_skb(struct vxlan_sock *vs, | |||
| 1606 | udp_tunnel6_xmit_skb(vs->sock, dst, skb, dev, saddr, daddr, prio, | 1612 | udp_tunnel6_xmit_skb(vs->sock, dst, skb, dev, saddr, daddr, prio, |
| 1607 | ttl, src_port, dst_port); | 1613 | ttl, src_port, dst_port); |
| 1608 | return 0; | 1614 | return 0; |
| 1615 | err: | ||
| 1616 | dst_release(dst); | ||
| 1617 | return err; | ||
| 1609 | } | 1618 | } |
| 1610 | #endif | 1619 | #endif |
| 1611 | 1620 | ||
| @@ -1621,7 +1630,7 @@ int vxlan_xmit_skb(struct vxlan_sock *vs, | |||
| 1621 | 1630 | ||
| 1622 | skb = udp_tunnel_handle_offloads(skb, udp_sum); | 1631 | skb = udp_tunnel_handle_offloads(skb, udp_sum); |
| 1623 | if (IS_ERR(skb)) | 1632 | if (IS_ERR(skb)) |
| 1624 | return -EINVAL; | 1633 | return PTR_ERR(skb); |
| 1625 | 1634 | ||
| 1626 | min_headroom = LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len | 1635 | min_headroom = LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len |
| 1627 | + VXLAN_HLEN + sizeof(struct iphdr) | 1636 | + VXLAN_HLEN + sizeof(struct iphdr) |
| @@ -1629,8 +1638,10 @@ int vxlan_xmit_skb(struct vxlan_sock *vs, | |||
| 1629 | 1638 | ||
| 1630 | /* Need space for new headers (invalidates iph ptr) */ | 1639 | /* Need space for new headers (invalidates iph ptr) */ |
| 1631 | err = skb_cow_head(skb, min_headroom); | 1640 | err = skb_cow_head(skb, min_headroom); |
| 1632 | if (unlikely(err)) | 1641 | if (unlikely(err)) { |
| 1642 | kfree_skb(skb); | ||
| 1633 | return err; | 1643 | return err; |
| 1644 | } | ||
| 1634 | 1645 | ||
| 1635 | skb = vlan_hwaccel_push_inside(skb); | 1646 | skb = vlan_hwaccel_push_inside(skb); |
| 1636 | if (WARN_ON(!skb)) | 1647 | if (WARN_ON(!skb)) |
| @@ -1776,9 +1787,12 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, | |||
| 1776 | tos, ttl, df, src_port, dst_port, | 1787 | tos, ttl, df, src_port, dst_port, |
| 1777 | htonl(vni << 8), | 1788 | htonl(vni << 8), |
| 1778 | !net_eq(vxlan->net, dev_net(vxlan->dev))); | 1789 | !net_eq(vxlan->net, dev_net(vxlan->dev))); |
| 1779 | 1790 | if (err < 0) { | |
| 1780 | if (err < 0) | 1791 | /* skb is already freed. */ |
| 1792 | skb = NULL; | ||
| 1781 | goto rt_tx_error; | 1793 | goto rt_tx_error; |
| 1794 | } | ||
| 1795 | |||
| 1782 | iptunnel_xmit_stats(err, &dev->stats, dev->tstats); | 1796 | iptunnel_xmit_stats(err, &dev->stats, dev->tstats); |
| 1783 | #if IS_ENABLED(CONFIG_IPV6) | 1797 | #if IS_ENABLED(CONFIG_IPV6) |
| 1784 | } else { | 1798 | } else { |