On 22.02.2021 17:30:59, Johannes Berg wrote: > On Mon, 2021-02-22 at 16:12 +0100, Oleksij Rempel wrote: > > This code is trying to clone the skb with optional skb->sk. But this > > will fail to clone the skb if socket was closed just after the skb was > > pushed into the networking stack. > > Which IMHO is completely fine. If we then still clone the SKB we can't > do anything with it, since the point would be to ... send it back to the > socket, but it's gone. Ok, but why is the skb cloned if there is no socket linked in skb->sk? | static u16 ieee80211_store_ack_skb(struct ieee80211_local *local, | struct sk_buff *skb, | u32 *info_flags, | u64 *cookie) | { | struct sk_buff *ack_skb; | u16 info_id = 0; | | if (skb->sk) | ack_skb = skb_clone_sk(skb); | else | ack_skb = skb_clone(skb, GFP_ATOMIC); Looks like this is dead code, since both callers of ieee80211_store_ack_skb() first check if there is a skb->sk | if (unlikely(!multicast && ((skb->sk && | skb_shinfo(skb)->tx_flags & SKBTX_WIFI_STATUS) || | ctrl_flags & IEEE80211_TX_CTL_REQ_TX_STATUS))) | info_id = ieee80211_store_ack_skb(local, skb, &info_flags, | cookie); > Nothing to fix here, I'd think. If you wanted to get a copy back that > gives you the status of the SKB, it should not come as a huge surprise > that you have to keep the socket open for that :) > > Having the ACK skb will just make us do more work by handing it back > to skb_complete_wifi_ack() at TX status time, which is supposed to put > it into the socket's error queue, but if the socket is closed ... no > point in that. We haven't looked at the callers of ieee80211_store_ack_skb(). Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |