[PATCH net] __netif_receive_skb_core: pass skb by reference

Mon, 18 May 2020 02:02:28 -0700 

__netif_receive_skb_core may change the skb pointer passed into it (e.g.
in rx_handler). The original skb may be freed as a result of this
operation.

The callers of __netif_receive_skb_core may further process original skb
by using pt_prev pointer returned by __netif_receive_skb_core thus
leading to unpleasant effects.

The solution is to pass skb by reference into __netif_receive_skb_core.

Signed-off-by: Boris Sukholitko <boris.sukholi...@broadcom.com>
---
 net/core/dev.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 6d327b7aa813..0c2bbf479f19 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4988,7 +4988,7 @@ static inline int nf_ingress(struct sk_buff *skb, struct 
packet_type **pt_prev,
        return 0;
 }
 
-static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc,
+static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc,
                                    struct packet_type **ppt_prev)
 {
        struct packet_type *ptype, *pt_prev;
@@ -4997,6 +4997,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, 
bool pfmemalloc,
        bool deliver_exact = false;
        int ret = NET_RX_DROP;
        __be16 type;
+       struct sk_buff *skb = *pskb;
 
        net_timestamp_check(!netdev_tstamp_prequeue, skb);
 
@@ -5023,8 +5024,10 @@ static int __netif_receive_skb_core(struct sk_buff *skb, 
bool pfmemalloc,
                ret2 = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog), skb);
                preempt_enable();
 
-               if (ret2 != XDP_PASS)
-                       return NET_RX_DROP;
+               if (ret2 != XDP_PASS) {
+                       ret = NET_RX_DROP;
+                       goto out;
+               }
                skb_reset_mac_len(skb);
        }
 
@@ -5174,6 +5177,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, 
bool pfmemalloc,
        }
 
 out:
+       *pskb = skb;
        return ret;
 }
 
@@ -5183,7 +5187,7 @@ static int __netif_receive_skb_one_core(struct sk_buff 
*skb, bool pfmemalloc)
        struct packet_type *pt_prev = NULL;
        int ret;
 
-       ret = __netif_receive_skb_core(skb, pfmemalloc, &pt_prev);
+       ret = __netif_receive_skb_core(&skb, pfmemalloc, &pt_prev);
        if (pt_prev)
                ret = INDIRECT_CALL_INET(pt_prev->func, ipv6_rcv, ip_rcv, skb,
                                         skb->dev, pt_prev, orig_dev);
@@ -5261,7 +5265,7 @@ static void __netif_receive_skb_list_core(struct 
list_head *head, bool pfmemallo
                struct packet_type *pt_prev = NULL;
 
                skb_list_del_init(skb);
-               __netif_receive_skb_core(skb, pfmemalloc, &pt_prev);
+               __netif_receive_skb_core(&skb, pfmemalloc, &pt_prev);
                if (!pt_prev)
                        continue;
                if (pt_curr != pt_prev || od_curr != orig_dev) {
-- 
2.19.2

Reply via email to