Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752051AbdFHDH7 convert rfc822-to-8bit (ORCPT ); Wed, 7 Jun 2017 23:07:59 -0400 Received: from cmccmta2.chinamobile.com ([221.176.66.80]:42530 "EHLO cmccmta2.chinamobile.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751989AbdFHDH5 (ORCPT ); Wed, 7 Jun 2017 23:07:57 -0400 X-RM-TRANSID: 2ee75938bf88f25-89db9 X-RM-SPAM-FLAG: 00000000 X-RM-TRANSID: 2eea5938bf876cb-99d0d Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [PATCH v2 1/2] ip_tunnel: fix potential issue in ip_tunnel_rcv From: =?utf-8?B?5Lil5rW35Y+M?= In-Reply-To: Date: Thu, 8 Jun 2017 11:07:51 +0800 Cc: "=David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , Linux Kernel Network Developers , LKML , Pravin B Shelar Content-Transfer-Encoding: 8BIT Message-Id: References: <1496883476-17445-1-git-send-email-yanhaishuang@cmss.chinamobile.com> To: Pravin Shelar X-Mailer: Apple Mail (2.3273) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1680 Lines: 56 > On 8 Jun 2017, at 10:13 AM, Pravin Shelar wrote: > > On Wed, Jun 7, 2017 at 5:57 PM, Haishuang Yan > wrote: >> When ip_tunnel_rcv fails, the tun_dst won't be freed, so move >> skb_dst_set to begin and tun_dst would be freed by kfree_skb. >> >> CC: Pravin B Shelar >> Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.") >> Signed-off-by: Haishuang Yan >> --- >> net/ipv4/ip_tunnel.c | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c >> index b878ecb..27fc20f 100644 >> --- a/net/ipv4/ip_tunnel.c >> +++ b/net/ipv4/ip_tunnel.c >> @@ -386,6 +386,9 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, >> const struct iphdr *iph = ip_hdr(skb); >> int err; >> >> + if (tun_dst) >> + skb_dst_set(skb, (struct dst_entry *)tun_dst); >> + > If dst is set so early, skb_scrub_packet() would remove the tunnel dst > reference. > It is better to call skb_dst_drop() from error code path. Yes, I will change it in v3 commit, thanks! > >> #ifdef CONFIG_NET_IPGRE_BROADCAST >> if (ipv4_is_multicast(iph->daddr)) { >> tunnel->dev->stats.multicast++; >> @@ -439,9 +442,6 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, >> skb->dev = tunnel->dev; >> } >> >> - if (tun_dst) >> - skb_dst_set(skb, (struct dst_entry *)tun_dst); >> - >> gro_cells_receive(&tunnel->gro_cells, skb); >> return 0; >> >> -- >> 1.8.3.1 >> >> >> >