Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751969AbdFHDPR (ORCPT ); Wed, 7 Jun 2017 23:15:17 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:33325 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751783AbdFHDPO (ORCPT ); Wed, 7 Jun 2017 23:15:14 -0400 Message-ID: <1496891711.736.55.camel@edumazet-glaptop3.roam.corp.google.com> Subject: Re: [PATCH v2 1/2] ip_tunnel: fix potential issue in ip_tunnel_rcv From: Eric Dumazet To: Pravin Shelar Cc: Haishuang Yan , "=David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , Linux Kernel Network Developers , linux-kernel@vger.kernel.org, Pravin B Shelar , Haishuang Yan Date: Wed, 07 Jun 2017 20:15:11 -0700 In-Reply-To: References: <1496883476-17445-1-git-send-email-yanhaishuang@cmss.chinamobile.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1255 Lines: 32 On Wed, 2017-06-07 at 19:13 -0700, Pravin Shelar wrote: > On Wed, Jun 7, 2017 at 5:57 PM, Haishuang Yan > wrote: > > When ip_tunnel_rcv fails, the tun_dst won't be freed, so move > > skb_dst_set to begin and tun_dst would be freed by kfree_skb. > > > > CC: Pravin B Shelar > > Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.") > > Signed-off-by: Haishuang Yan > > --- > > net/ipv4/ip_tunnel.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c > > index b878ecb..27fc20f 100644 > > --- a/net/ipv4/ip_tunnel.c > > +++ b/net/ipv4/ip_tunnel.c > > @@ -386,6 +386,9 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, > > const struct iphdr *iph = ip_hdr(skb); > > int err; > > > > + if (tun_dst) > > + skb_dst_set(skb, (struct dst_entry *)tun_dst); > > + > If dst is set so early, skb_scrub_packet() would remove the tunnel dst > reference. > It is better to call skb_dst_drop() from error code path. Do we really want to keep a dst from another namespace if skb_scrub_packet() is called with xnet=true ?