Hello,
this series tries to fix a long standing problem in the CAN echo SKB
handling. The problem shows up if an echo SKB for a SKB that references
an already closed socket is created.
It looks like the mac80211/tx.c has the same problem, see RFC patch 3
for details.
regards,
Oleksij
Oleksij Rempel (3):
skbuff: skb_clone_sk_optional(): add function to always clone a skb
and increase refcount on sk if valid
can: fix ref count warning if socket was closed before skb was cloned
[RFC] mac80211: ieee80211_store_ack_skb(): make use of
skb_clone_sk_optional()
include/linux/can/skb.h | 3 +--
include/linux/skbuff.h | 1 +
net/can/af_can.c | 6 +++---
net/can/j1939/main.c | 3 +--
net/can/j1939/socket.c | 3 +--
net/can/j1939/transport.c | 4 +---
net/core/skbuff.c | 27 +++++++++++++++++++++++++++
net/mac80211/tx.c | 6 +-----
8 files changed, 36 insertions(+), 17 deletions(-)
--
2.29.2
There already the function skb_clone_sk(), which clones the skb, but
only if the sk is valid.
There are several users in the networking stack, which always need a
clone of a skb with the sk refcount incremented (but only if the sk is
valid). This patch adds such a function.
Signed-off-by: Oleksij Rempel <[email protected]>
---
include/linux/skbuff.h | 1 +
net/core/skbuff.c | 27 +++++++++++++++++++++++++++
2 files changed, 28 insertions(+)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 6d0a33d1c0db..99d552017508 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3874,6 +3874,7 @@ static inline void skb_metadata_clear(struct sk_buff *skb)
skb_metadata_set(skb, 0);
}
+struct sk_buff *skb_clone_sk_optional(struct sk_buff *skb);
struct sk_buff *skb_clone_sk(struct sk_buff *skb);
#ifdef CONFIG_NETWORK_PHY_TIMESTAMPING
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 545a472273a5..97341f173fb0 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4671,6 +4671,33 @@ struct sk_buff *sock_dequeue_err_skb(struct sock *sk)
}
EXPORT_SYMBOL(sock_dequeue_err_skb);
+/**
+ * skb_clone_sk_optional - create clone of skb, and take reference to socket if
+ * socket is referenced in original skb
+ * @skb: the skb to clone
+ *
+ * This function always creates a clone of a buffer. If it that holds a valid
+ * reference on sk_refcnt this is increased.
+ */
+struct sk_buff *skb_clone_sk_optional(struct sk_buff *skb)
+{
+ struct sock *sk = skb->sk;
+ struct sk_buff *clone;
+
+ clone = skb_clone(skb, GFP_ATOMIC);
+ if (!clone)
+ return NULL;
+
+ if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt))
+ return clone;
+
+ clone->sk = sk;
+ clone->destructor = sock_efree;
+
+ return clone;
+}
+EXPORT_SYMBOL(skb_clone_sk_optional);
+
/**
* skb_clone_sk - create clone of skb, and take reference to socket
* @skb: the skb to clone
--
2.29.2