Re: [RFC v2 net-next 7/7] af_packet: use sk_skb_reason_drop to free rx packets
From: Simon Horman
Date: Tue Jun 04 2024 - 11:20:15 EST
On Fri, May 31, 2024 at 06:43:00PM -0700, Yan Zhai wrote:
> Replace kfree_skb_reason with sk_skb_reason_drop and pass the receiving
> socket to the tracepoint.
>
> Signed-off-by: Yan Zhai <yan@xxxxxxxxxxxxxx>
> ---
> net/packet/af_packet.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index fce390887591..3133d4eb4a1b 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
Hi Yan Zhai,
Near the top of packet_rcv,
immediately after local variable declarations, and
before sk is initialised is the following:
if (skb->pkt_type == PACKET_LOOPBACK)
goto drop;
> @@ -2226,7 +2226,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
> skb->len = skb_len;
> }
> drop:
> - kfree_skb_reason(skb, drop_reason);
> + sk_skb_reason_drop(sk, skb, drop_reason);
So sk may be used uninitialised here.
Similarly in tpacket_rcv()
Flagged by clang-18 W=1 allmodconfig builds on x86_64.
> return 0;
> }
>
> @@ -2494,7 +2494,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
> skb->len = skb_len;
> }
> drop:
> - kfree_skb_reason(skb, drop_reason);
> + sk_skb_reason_drop(sk, skb, drop_reason);
> return 0;
>
> drop_n_account:
> @@ -2503,7 +2503,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
> drop_reason = SKB_DROP_REASON_PACKET_SOCK_ERROR;
>
> sk->sk_data_ready(sk);
> - kfree_skb_reason(copy_skb, drop_reason);
> + sk_skb_reason_drop(sk, copy_skb, drop_reason);
> goto drop_n_restore;
> }
>
> --
> 2.30.2
>
>