From: David Miller <davem@davemloft.net>
To: netdev@vger.kernel.org
Subject: [PATCH] net: Frag list lost on head expansion.
Date: Thu, 02 Sep 2010 20:43:32 -0700 (PDT) [thread overview]
Message-ID: <20100902.204332.02275687.davem@davemloft.net> (raw)
When pskb_expand_head() releases the data, with skb_release_data(), it
tries to properly preserve any fragment list using
skb_clone_fraglist().
Although skb_clone_fraglist() will properly grab a reference to all of
the fragment list SKBs, it will not block skb_release_data() from
NULL'ing out the ->frag_list pointer when it calls skb_drop_list() via
skb_drop_fraglist().
As a result we lose the fragment SKBs and they are leaked forever.
Instead, hide the fragment list pointer around the skb_release_data()
call and restore it afterwards. This fixes the bug and also makes
it cheaper since we won't grab and release every single fragment
list SKB reference.
Signed-off-by: David S. Miller <davem@davemloft.net>
---
I found this via pure code inspection, please review.
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 26396ff..def2e49 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -789,6 +789,7 @@ EXPORT_SYMBOL(pskb_copy);
int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
gfp_t gfp_mask)
{
+ struct sk_buff *frag_list;
int i;
u8 *data;
#ifdef NET_SKBUFF_DATA_USES_OFFSET
@@ -822,11 +823,13 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
get_page(skb_shinfo(skb)->frags[i].page);
- if (skb_has_frags(skb))
- skb_clone_fraglist(skb);
+ frag_list = skb_shinfo(skb)->frag_list;
+ skb_shinfo(skb)->frag_list = NULL;
skb_release_data(skb);
+ skb_shinfo(skb)->frag_list = frag_list;
+
off = (data + nhead) - skb->head;
skb->head = data;
next reply other threads:[~2010-09-03 3:43 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-03 3:43 David Miller [this message]
2010-09-03 5:48 ` [PATCH] net: Frag list lost on head expansion Eric Dumazet
2010-09-03 6:19 ` Eric Dumazet
2010-09-03 9:09 ` [PATCH net-next-2.6] net: pskb_expand_head() optimization Eric Dumazet
2010-09-03 13:46 ` David Miller
2010-09-07 2:20 ` David Miller
2010-09-07 5:02 ` Eric Dumazet
2010-09-07 5:05 ` David Miller
2010-09-07 9:16 ` Jarek Poplawski
2010-09-07 9:37 ` Eric Dumazet
2010-09-10 19:54 ` David Miller
2010-09-11 12:31 ` Jarek Poplawski
2010-09-12 3:30 ` David Miller
2010-09-12 10:45 ` Jarek Poplawski
2010-09-12 10:58 ` Jarek Poplawski
2010-09-12 15:58 ` David Miller
2010-09-12 16:13 ` David Miller
2010-09-12 20:57 ` Jarek Poplawski
2010-09-12 22:08 ` David Miller
2010-09-13 7:49 ` Jarek Poplawski
2010-09-12 19:55 ` Ben Pfaff
2010-09-12 20:24 ` David Miller
2010-09-12 20:45 ` Jarek Poplawski
2010-09-20 0:17 ` David Miller
2010-09-20 7:21 ` Jarek Poplawski
2010-09-20 9:02 ` Eric Dumazet
2010-09-20 9:14 ` Jarek Poplawski
2010-09-20 12:12 ` Jarek Poplawski
2010-09-20 12:40 ` Eric Dumazet
2010-09-20 16:59 ` David Miller
2010-09-07 1:25 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100902.204332.02275687.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.