2007-12-09 20:02:44

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 1/3] Fix use of skb after netif_rx

From: Julia Lawall <[email protected]>

Recently, Wang Chen submitted a patch
(d30f53aeb31d453a5230f526bea592af07944564) to move a call to netif_rx(skb)
after a subsequent reference to skb, because netif_rx may call kfree_skb on
its argument. The same problem occurs in some other drivers as well.

This was found using the following semantic match.
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
expression skb, e,e1;
@@

(
netif_rx(skb);
|
netif_rx_ni(skb);
)
... when != skb = e
(
skb = e1
|
* skb
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>
---

diff a/arch/um/drivers/net_kern.c b/arch/um/drivers/net_kern.c
--- a/arch/um/drivers/net_kern.c 2007-11-15 15:09:36.000000000 +0100
+++ b/arch/um/drivers/net_kern.c 2007-12-05 19:01:14.000000000 +0100
@@ -98,10 +98,10 @@ static int uml_net_rx(struct net_device
if (pkt_len > 0) {
skb_trim(skb, pkt_len);
skb->protocol = (*lp->protocol)(skb);
- netif_rx(skb);

lp->stats.rx_bytes += skb->len;
lp->stats.rx_packets++;
+ netif_rx(skb);
return pkt_len;
}


2007-12-10 18:03:33

by Jeff Dike

[permalink] [raw]
Subject: Re: [PATCH 1/3] Fix use of skb after netif_rx

On Sun, Dec 09, 2007 at 09:02:31PM +0100, Julia Lawall wrote:
> Recently, Wang Chen submitted a patch
> (d30f53aeb31d453a5230f526bea592af07944564) to move a call to netif_rx(skb)
> after a subsequent reference to skb, because netif_rx may call kfree_skb on
> its argument. The same problem occurs in some other drivers as well.
>
> This was found using the following semantic match.
> (http://www.emn.fr/x-info/coccinelle/)

Thanks, I'll forward this on.

Jeff

--
Work email - jdike at linux dot intel dot com

2007-12-11 01:15:16

by David Miller

[permalink] [raw]
Subject: Re: [PATCH 1/3] Fix use of skb after netif_rx

From: Julia Lawall <[email protected]>
Date: Sun, 9 Dec 2007 21:02:31 +0100 (CET)

> From: Julia Lawall <[email protected]>
>
> Recently, Wang Chen submitted a patch
> (d30f53aeb31d453a5230f526bea592af07944564) to move a call to netif_rx(skb)
> after a subsequent reference to skb, because netif_rx may call kfree_skb on
> its argument. The same problem occurs in some other drivers as well.
>
> This was found using the following semantic match.
> (http://www.emn.fr/x-info/coccinelle/)
...
> Signed-off-by: Julia Lawall <[email protected]>

Patch applied, thanks.