[BUG] net:ipv6/ip6_tunnel: A double free in ip6_tnl_start_xmit

From: lyl2019
Date: Mon Apr 26 2021 - 22:07:07 EST

Next message: Samuel Zou: "Re: [PATCH 5.4 00/20] 5.4.115-rc1 review"
Previous message: Hugh Dickins: "Re: [PATCH v4 01/10] userfaultfd/hugetlbfs: avoid including userfaultfd_k.h in hugetlb.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, maintainer.
Our code analyzer reported a double free bug,
and it is a little difficult for me to fix the intricate bug.

File: net/ipv6/ip6_tunnel.c

In ip6_tnl_start_xmit, it calls ipxip6_tnl_xmit() and then
ipxip6_tnl_xmit calls ip6_tnl_xmit(). The skb could be freed
at line 1,213 via consume_skb(skb). If ip6_tnl_xmit() returns
an error code, the tx_err branch of ip6_tnl_start_xmit will free
the skb again.

Issue: e7bb18e6c8b7e ("ip6_tunnel: simplify transmit path")
Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>

Next message: Samuel Zou: "Re: [PATCH 5.4 00/20] 5.4.115-rc1 review"
Previous message: Hugh Dickins: "Re: [PATCH v4 01/10] userfaultfd/hugetlbfs: avoid including userfaultfd_k.h in hugetlb.h"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]