summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorAlexander Aring <alex.aring@gmail.com>2015-10-22 12:11:27 +0200
committerMarcel Holtmann <marcel@holtmann.org>2015-10-22 12:24:42 +0200
commitaeedebff6961d96e9df58799e6c3a93513d6f66b (patch)
tree1c6ec387b96e2014a53ec9fdacdbdf1dfa461766 /net
parentBluetooth: Make hci_disconnect() behave correctly for all states (diff)
downloadlinux-aeedebff6961d96e9df58799e6c3a93513d6f66b.tar.xz
linux-aeedebff6961d96e9df58799e6c3a93513d6f66b.zip
ieee802154: 6lowpan: fix memory leak
Looking at current situation of memory management in 6lowpan receive function I detected some invalid handling. After calling lowpan_invoke_rx_handlers we will do a kfree_skb and then NET_RX_DROP on error handling. We don't do this before, also on skb_share_check/skb_unshare which might manipulate the reference counters. After running some 'grep -r "dev_add_pack" net/' to look how others packet-layer receive callbacks works I detected that every subsystem do a kfree_skb, then NET_RX_DROP without calling skb functions which might manipulate the skb reference counters. This is the reason why we should do the same here like all others subsystems. I didn't find any documentation how the packet-layer receive callbacks handle NET_RX_DROP return values either. This patch will add a kfree_skb, then NET_RX_DROP handling for the "trivial checks", in case of skb_share_check/skb_unshare the kfree_skb call will be done inside these functions. Signed-off-by: Alexander Aring <alex.aring@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net')
-rw-r--r--net/ieee802154/6lowpan/rx.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/net/ieee802154/6lowpan/rx.c b/net/ieee802154/6lowpan/rx.c
index 403f17126433..ef185dd4110d 100644
--- a/net/ieee802154/6lowpan/rx.c
+++ b/net/ieee802154/6lowpan/rx.c
@@ -284,16 +284,16 @@ static int lowpan_rcv(struct sk_buff *skb, struct net_device *wdev,
if (wdev->type != ARPHRD_IEEE802154 ||
skb->pkt_type == PACKET_OTHERHOST ||
!lowpan_rx_h_check(skb))
- return NET_RX_DROP;
+ goto drop;
ldev = wdev->ieee802154_ptr->lowpan_dev;
if (!ldev || !netif_running(ldev))
- return NET_RX_DROP;
+ goto drop;
/* Replacing skb->dev and followed rx handlers will manipulate skb. */
skb = skb_share_check(skb, GFP_ATOMIC);
if (!skb)
- return NET_RX_DROP;
+ goto out;
skb->dev = ldev;
/* When receive frag1 it's likely that we manipulate the buffer.
@@ -304,10 +304,15 @@ static int lowpan_rcv(struct sk_buff *skb, struct net_device *wdev,
lowpan_is_iphc(*skb_network_header(skb))) {
skb = skb_unshare(skb, GFP_ATOMIC);
if (!skb)
- return NET_RX_DROP;
+ goto out;
}
return lowpan_invoke_rx_handlers(skb);
+
+drop:
+ kfree_skb(skb);
+out:
+ return NET_RX_DROP;
}
static struct packet_type lowpan_packet_type = {