From: Jakub Kicinski <kuba@kernel.org>
To: "Bjørn Mork" <bjorn@mork.no>,
"Kristian Evensen" <kristian.evensen@gmail.com>
Cc: netdev@vger.kernel.org, subashab@codeaurora.org
Subject: Re: [PATCH net] qmi_wwan: Clone the skb when in pass-through mode
Date: Mon, 14 Jun 2021 13:05:30 -0700 [thread overview]
Message-ID: <20210614130530.7a422f27@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> (raw)
In-Reply-To: <8735tky064.fsf@miraculix.mork.no>
On Mon, 14 Jun 2021 16:45:55 +0200 Bjørn Mork wrote:
> Kristian Evensen <kristian.evensen@gmail.com> writes:
>
> > The skb that we pass to the rmnet driver is owned by usbnet and is freed
> > soon after the rx_fixup() callback is called (in usbnet_bh()). There is
> > no guarantee that rmnet is done handling the skb before it is freed. We
> > should clone the skb before we call netif_rx() to prevent use-after-free
> > and misc. kernel oops.
> >
> > Fixes: 59e139cf0b32 ("net: qmi_wwan: Add pass through mode")
> >
> > Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
> > ---
> > drivers/net/usb/qmi_wwan.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
> > index db8d3a4f2678..5ac307eb0bfd 100644
> > --- a/drivers/net/usb/qmi_wwan.c
> > +++ b/drivers/net/usb/qmi_wwan.c
> > @@ -620,6 +620,10 @@ static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
> > return qmimux_rx_fixup(dev, skb);
> >
> > if (info->flags & QMI_WWAN_FLAG_PASS_THROUGH) {
> > + skb = skb_clone(skb, GFP_ATOMIC);
> > + if (!skb)
> > + return 0;
> > +
> > skb->protocol = htons(ETH_P_MAP);
> > return (netif_rx(skb) == NET_RX_SUCCESS);
> > }
>
> Thanks for pointing this out. But it still looks strange to me. Why do
> we call netif_rx(skb) here instead of just returning 1 and leave that
> for usbnet_skb_return()? With cloning we end up doing eth_type_trans()
> on the duplicate - is that wise?
Agreed on the cloning being a strange solution. Kristian, were you able
to reproduce the problem on upstream kernels?
It does look pretty strange that qmimux_rx_fixup() copies out all
packets and receives them, and then let's usbnet to process the
multi-frame skb without even fulling off the qmimux_hdr. I'm probably
missing something.. otherwise sth like FLAG_MULTI_PACKET may be in
order?
next prev parent reply other threads:[~2021-06-14 20:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 14:18 [PATCH net] qmi_wwan: Clone the skb when in pass-through mode Kristian Evensen
2021-06-14 14:45 ` Bjørn Mork
2021-06-14 15:49 ` Kristian Evensen
2021-06-14 17:02 ` Kristian Evensen
2021-06-14 20:05 ` Jakub Kicinski [this message]
2021-06-15 6:24 ` Bjørn Mork
2021-06-15 9:03 ` Kristian Evensen
2021-06-15 10:04 ` Bjørn Mork
2021-06-15 10:51 ` Kristian Evensen
2021-06-15 11:04 ` Kristian Evensen
2021-06-15 13:39 ` Bjørn Mork
2021-06-15 19:26 ` Jakub Kicinski
2021-06-15 19:27 ` Jakub Kicinski
2021-06-16 10:08 ` Kristian Evensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210614130530.7a422f27@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com \
--to=kuba@kernel.org \
--cc=bjorn@mork.no \
--cc=kristian.evensen@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=subashab@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.