Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp2439156pxy;
        Sun, 2 May 2021 23:09:21 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzv2FLhutHetIMCIvGUdfY2xVO23/xgksezOM6SiMJJMrC/+XMVhWgn4Ok7tOHYFDaZAHiD
X-Received: by 2002:a63:6f81:: with SMTP id k123mr16556753pgc.230.1620022161627;
        Sun, 02 May 2021 23:09:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620022161; cv=none;
        d=google.com; s=arc-20160816;
        b=bCY1mHa6MKQ0sPvyayegS6fjmG9FyAea8UIXe3MaA89OZC1F/iMqMqDYmXIYE+zeIg
         RW1oyWWmY6R8PetbEAjDLNfAu/14rTQVQiLeDLObYVsAWdgb+HecMjI5CV+d92uWc+Oz
         MTfu8jYMEJLvPiniRg//wOoFVbmdIaKGtYFXtRruipwo8rONOI4VshI5+zU4TO3VCFTL
         z16zEFwCkqI+LCf85VcRtV4A46N7Uty/86A1/rpjbj5S2VM8v3qnf1RCoujn1gaoLKBA
         h9SCChwJ/wbrpA3SQ/fIetpmB1lUm18jreh0Fryc4lw6m9NPwwS3MXVk6IapFnYFjyf8
         bZCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=aCcrSErNxvBoj5fyC3epLiepwpZec0GDdGp71BbCQDU=;
        b=EDlj2F+YWIFS20SoEHUx08dbChDJXLSBMJXzFjsuRtbJPJFa6hHvJOgFUhH8EiBsTT
         ezs4uMHOb5J4ILxWqAitby+Es3Yv7l2htqySN73JCz+Z9vhhxqRYEwWJ0dtOJqOWS+JS
         KzwrwBb3IHSzq2CFhlev6vFeWPs0IXXnYbG6y5sDLYVO3aYB8EkEantBv9ARja2biini
         3fHIORcG1CZ5Xa10/e0+Ban86jVp1xzfIWP/eoQRFWbq1Df8hzB21H26wvxyFVko5zbp
         8/gjlNHvt3DcG7X14xcYL2KnR/gkfhPGU2ujKQJAisfqp8gmTCzYex5RGflTMAoABVq+
         Y0aA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=JMwswjCp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 4si12943780pgj.569.2021.05.02.23.09.09;
        Sun, 02 May 2021 23:09:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=JMwswjCp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231743AbhECGHV (ORCPT <rfc822;liuzhichaoyc@gmail.com>
        + 99 others); Mon, 3 May 2021 02:07:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51760 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232377AbhECGHU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 May 2021 02:07:20 -0400
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 275A4C06174A;
        Sun,  2 May 2021 23:06:27 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id p12so2909840pgj.10;
        Sun, 02 May 2021 23:06:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=aCcrSErNxvBoj5fyC3epLiepwpZec0GDdGp71BbCQDU=;
        b=JMwswjCpATlYPl3tgBiU0u/60TfAgIVf1syaut2heTY7hLys0TT6KPVHYf8oN/7eLA
         MCLp/dObeKrjPKXwO7E01UIvFlnwAr5tEKcznnsgFuWvGk3IJL/OHf4aFFu4tsulg3xf
         qEVhFPRing0dfG6HvPV8fYYAKnY3PpBu6RRi7OvYKhvQm7kYueNpeUealabeAzJPsg25
         StKlyryEcWAS3Q4j+YglOIaI6S2H5JVVEmFmk0Q9bwzsjxobLd0M/QymP7WB38Cvb53f
         0ttlS174YP7eLngTKZnIQprp6xIAtjwzQjwMntaRjPchFaJE8IOyEmMAHiEL0QOc1d88
         AMXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=aCcrSErNxvBoj5fyC3epLiepwpZec0GDdGp71BbCQDU=;
        b=YPDHZq3rOsYjGj3LuQy//+CBXsYS9cdA45tzD7WFSeAjr6zq9F/pqWuabU/0uhLrwi
         mmUul9Y4z4qXSS9MlVh5FXLiC5xuB2GFAhpDtZwGrF6SmgGTiswfo0l9k8KDwA3K68NQ
         41jQXDbU1gBQOD+GYtW2bhRe21dhSfDr2uUyclsJFcJTpJDGga58M6D0LNyjRPOEMGBn
         mX55yWdsulcDCDzRLFgeniyXPqTr3tV3dA6pfxn72hmLjFswgizpQ2rMMFtyg6dEDFdQ
         MDPKBZa17OnG+CzNFtFn8i+jeY0rK9/zGPqHmkZ3DEx1z86h9sICkuhBWS2P5o0yal30
         HQTg==
X-Gm-Message-State: AOAM533meTXOvUdHpBFOAOdBm3tbBYTWkK3C0jqL7DZYtNPD2l4v6aF8
        T6vAgfHG44roxIt55+KCUX4=
X-Received: by 2002:a63:570e:: with SMTP id l14mr16714531pgb.159.1620021986721;
        Sun, 02 May 2021 23:06:26 -0700 (PDT)
Received: from shane-XPS-13-9380.attlocal.net ([2600:1700:4ca1:ade0:3a:4810:e38c:9b3])
        by smtp.gmail.com with ESMTPSA id md21sm16757731pjb.3.2021.05.02.23.06.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 02 May 2021 23:06:26 -0700 (PDT)
From:   Xie He <xie.he.0141@gmail.com>
To:     Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Cc:     khc@pm.waw.pl, davem@davemloft.net, kuba@kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit
Date:   Sun,  2 May 2021 23:06:22 -0700
Message-Id: <20210503060622.27128-1-xie.he.0141@gmail.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20210328075008.4770-1-lyl2019@mail.ustc.edu.cn>
References: <20210328075008.4770-1-lyl2019@mail.ustc.edu.cn>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> In pvc_xmit, if __skb_pad(skb, pad, false) failed, it will free
> the skb in the first time and goto drop. But the same skb is freed
> by kfree_skb(skb) in the second time in drop.
> 
> Maintaining the original function unchanged, my patch adds a new
> label out to avoid the double free if __skb_pad() failed.
> 
> Fixes: f5083d0cee08a ("drivers/net/wan/hdlc_fr: Improvements to the code of pvc_xmit")
> Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> ---
>  drivers/net/wan/hdlc_fr.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c
> index 0720f5f92caa..4d9dc7d15908 100644
> --- a/drivers/net/wan/hdlc_fr.c
> +++ b/drivers/net/wan/hdlc_fr.c
> @@ -415,7 +415,7 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev)
>  
>  		if (pad > 0) { /* Pad the frame with zeros */
>  			if (__skb_pad(skb, pad, false))
> -				goto drop;
> +				goto out;
>  			skb_put(skb, pad);
>  		}
>  	}
> @@ -448,8 +448,9 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev)
>  	return NETDEV_TX_OK;
>  
>  drop:
> -	dev->stats.tx_dropped++;
>  	kfree_skb(skb);
> +out:
> +	dev->stats.tx_dropped++;
>  	return NETDEV_TX_OK;
>  }
> 

1. This patch is incorrect. "__skb_pad" will NOT free the skb on failure
when its "free_on_error" parameter is "false".

2. If you think you fix my commit, please CC me so that I can review
your patch.

I have sent another patch to revert this.