From: Shoaib Rao <rao.shoaib@oracle.com>
To: Dan Carpenter <dan.carpenter@oracle.com>, kbuild@lists.01.org
Cc: lkp@intel.com, kbuild-all@lists.01.org, netdev@vger.kernel.org
Subject: Re: [net-next:master 2/15] net/unix/af_unix.c:2471 manage_oob() warn: returning freed memory 'skb'
Date: Fri, 6 Aug 2021 10:22:00 -0700 [thread overview]
Message-ID: <d5011700-18f1-a223-c6da-bee7f1526caf@oracle.com> (raw)
In-Reply-To: <202108051610.IrlkPw7d-lkp@intel.com>
This is a false positive. consume_skb does necessarily frees the skb, it
decrements the refcnt abd if no reference exists frees the skb. In this
case skb will not be freed. I used consume_skb as that is what the code
uses.
Shoaib.
On 8/5/21 4:57 AM, Dan Carpenter wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git master
> head: c2eecaa193ff1e516a1b389637169ae86a6fa867
> commit: 314001f0bf927015e459c9d387d62a231fe93af3 [2/15] af_unix: Add OOB support
> config: nios2-randconfig-m031-20210804 (attached as .config)
> compiler: nios2-linux-gcc (GCC) 10.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> New smatch warnings:
> net/unix/af_unix.c:2471 manage_oob() warn: returning freed memory 'skb'
>
> vim +/skb +2471 net/unix/af_unix.c
>
> 314001f0bf9270 Rao Shoaib 2021-08-01 2446 static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
> 314001f0bf9270 Rao Shoaib 2021-08-01 2447 int flags, int copied)
> 314001f0bf9270 Rao Shoaib 2021-08-01 2448 {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2449 struct unix_sock *u = unix_sk(sk);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2450
> 314001f0bf9270 Rao Shoaib 2021-08-01 2451 if (!unix_skb_len(skb) && !(flags & MSG_PEEK)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2452 skb_unlink(skb, &sk->sk_receive_queue);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2453 consume_skb(skb);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2454 skb = NULL;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2455 } else {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2456 if (skb == u->oob_skb) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2457 if (copied) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2458 skb = NULL;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2459 } else if (sock_flag(sk, SOCK_URGINLINE)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2460 if (!(flags & MSG_PEEK)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2461 u->oob_skb = NULL;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2462 consume_skb(skb);
>
> Need to set "skb = NULL;" after the consume.
>
> 314001f0bf9270 Rao Shoaib 2021-08-01 2463 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 2464 } else if (!(flags & MSG_PEEK)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2465 skb_unlink(skb, &sk->sk_receive_queue);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2466 consume_skb(skb);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2467 skb = skb_peek(&sk->sk_receive_queue);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2468 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 2469 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 2470 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 @2471 return skb;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2472 }
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
>
WARNING: multiple messages have this Message-ID (diff)
From: Shoaib Rao <rao.shoaib@oracle.com>
To: kbuild-all@lists.01.org
Subject: Re: [net-next:master 2/15] net/unix/af_unix.c:2471 manage_oob() warn: returning freed memory 'skb'
Date: Fri, 06 Aug 2021 10:22:00 -0700 [thread overview]
Message-ID: <d5011700-18f1-a223-c6da-bee7f1526caf@oracle.com> (raw)
In-Reply-To: <202108051610.IrlkPw7d-lkp@intel.com>
[-- Attachment #1: Type: text/plain, Size: 3021 bytes --]
This is a false positive. consume_skb does necessarily frees the skb, it
decrements the refcnt abd if no reference exists frees the skb. In this
case skb will not be freed. I used consume_skb as that is what the code
uses.
Shoaib.
On 8/5/21 4:57 AM, Dan Carpenter wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git master
> head: c2eecaa193ff1e516a1b389637169ae86a6fa867
> commit: 314001f0bf927015e459c9d387d62a231fe93af3 [2/15] af_unix: Add OOB support
> config: nios2-randconfig-m031-20210804 (attached as .config)
> compiler: nios2-linux-gcc (GCC) 10.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> New smatch warnings:
> net/unix/af_unix.c:2471 manage_oob() warn: returning freed memory 'skb'
>
> vim +/skb +2471 net/unix/af_unix.c
>
> 314001f0bf9270 Rao Shoaib 2021-08-01 2446 static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
> 314001f0bf9270 Rao Shoaib 2021-08-01 2447 int flags, int copied)
> 314001f0bf9270 Rao Shoaib 2021-08-01 2448 {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2449 struct unix_sock *u = unix_sk(sk);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2450
> 314001f0bf9270 Rao Shoaib 2021-08-01 2451 if (!unix_skb_len(skb) && !(flags & MSG_PEEK)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2452 skb_unlink(skb, &sk->sk_receive_queue);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2453 consume_skb(skb);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2454 skb = NULL;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2455 } else {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2456 if (skb == u->oob_skb) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2457 if (copied) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2458 skb = NULL;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2459 } else if (sock_flag(sk, SOCK_URGINLINE)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2460 if (!(flags & MSG_PEEK)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2461 u->oob_skb = NULL;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2462 consume_skb(skb);
>
> Need to set "skb = NULL;" after the consume.
>
> 314001f0bf9270 Rao Shoaib 2021-08-01 2463 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 2464 } else if (!(flags & MSG_PEEK)) {
> 314001f0bf9270 Rao Shoaib 2021-08-01 2465 skb_unlink(skb, &sk->sk_receive_queue);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2466 consume_skb(skb);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2467 skb = skb_peek(&sk->sk_receive_queue);
> 314001f0bf9270 Rao Shoaib 2021-08-01 2468 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 2469 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 2470 }
> 314001f0bf9270 Rao Shoaib 2021-08-01 @2471 return skb;
> 314001f0bf9270 Rao Shoaib 2021-08-01 2472 }
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
>
next prev parent reply other threads:[~2021-08-06 17:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-05 8:54 [net-next:master 2/15] net/unix/af_unix.c:2471 manage_oob() warn: returning freed memory 'skb' kernel test robot
2021-08-05 11:57 ` Dan Carpenter
2021-08-05 11:57 ` Dan Carpenter
2021-08-06 17:22 ` Shoaib Rao [this message]
2021-08-06 17:22 ` Shoaib Rao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d5011700-18f1-a223-c6da-bee7f1526caf@oracle.com \
--to=rao.shoaib@oracle.com \
--cc=dan.carpenter@oracle.com \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=lkp@intel.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.