Re: [PATCH 3/3] tap: free skb if flags error
From: Michael S. Tsirkin
Date: Fri Dec 01 2017 - 09:48:30 EST
On Fri, Dec 01, 2017 at 05:10:38AM -0500, wexu@xxxxxxxxxx wrote:
> From: Wei Xu <wexu@xxxxxxxxxx>
>
> tap_recvmsg() supports accepting skb by msg_control after
> commit 3b4ba04acca8 ("tap: support receiving skb from msg_control"),
> the skb if presented should be freed within the function, otherwise
> it would be leaked.
>
> Signed-off-by: Wei Xu <wexu@xxxxxxxxxx>
> Reported-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
> ---
> drivers/net/tap.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index e9489b8..0a886fda 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q,
> DEFINE_WAIT(wait);
> ssize_t ret = 0;
>
> - if (!iov_iter_count(to))
> + if (!iov_iter_count(to)) {
> + if (skb)
> + kfree_skb(skb);
> return 0;
> + }
>
> if (skb)
> goto put;
> @@ -1154,11 +1157,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m,
> size_t total_len, int flags)
> {
> struct tap_queue *q = container_of(sock, struct tap_queue, sock);
> + struct sk_buff *skb = m->msg_control;
> int ret;
> - if (flags & ~(MSG_DONTWAIT|MSG_TRUNC))
> + if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) {
> + if (skb)
> + kfree_skb(skb);
> return -EINVAL;
> - ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT,
> - m->msg_control);
> + }
> + ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, skb);
> if (ret > total_len) {
> m->msg_flags |= MSG_TRUNC;
> ret = flags & MSG_TRUNC ? ret : total_len;
> --
> 1.8.3.1