Re: Fix skb_set_peeked use-after-free bug

2015-08-04 Thread Herbert Xu
David Laight wrote: > > In that case, what happens to the receive queue when skb_clone() > takes a copy of the skb - freeing the original one? The new skb is inserted into the recv queue and replacing the existing skb. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key

RE: Fix skb_set_peeked use-after-free bug

2015-08-04 Thread David Laight
From: Herbert Xu > Sent: 04 August 2015 10:21 > On Tue, Aug 04, 2015 at 09:15:13AM +, David Laight wrote: > > > > You've introduced a memory leak if skb_clone() fails. > > No I have not. > > > > nskb = skb_clone(skb, GFP_ATOMIC); > > > if (!nskb) > > > - return -ENOMEM; > > > +

Re: Fix skb_set_peeked use-after-free bug

2015-08-04 Thread Herbert Xu
On Tue, Aug 04, 2015 at 09:15:13AM +, David Laight wrote: > > You've introduced a memory leak if skb_clone() fails. No I have not. > > nskb = skb_clone(skb, GFP_ATOMIC); > > if (!nskb) > > - return -ENOMEM; > > + return ERR_PTR(-ENOMEM); > > Here the original skb

RE: Fix skb_set_peeked use-after-free bug

2015-08-04 Thread David Laight
From: Herbert Xu > Sent: 04 August 2015 08:43 > Brenden Blanco wrote: > >> [ 318.244596] BUG: unable to handle kernel NULL pointer dereference > >> at 008e > >> [ 318.245182] IP: [] __skb_recv_datagram+0xbc/0x5a0 > > > > Replying to myself, and adding commit interested parties... > >