[openib-general] [PATCH repost] IB/ipoib: fix skb leak
Michael S. Tsirkin
mst at mellanox.co.il
Tue Nov 28 00:51:52 PST 2006
ipoib_neigh_free is sometimes called while neighbour is still alive,
so it might have queued skbs. Fix skb leak in this case.
Signed-off-by: Michael S. Tsirkin <mst at mellanox.co.il>
---
Reposting. Seems obvious enough, does it not?
> Hi, Roland!
> I saw this potential issue when I went over the code.
> What do you think?
diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h
index e5b793d..c0fb316 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -260,7 +279,7 @@ static inline struct ipoib_neigh **to_ip
}
struct ipoib_neigh *ipoib_neigh_alloc(struct neighbour *neigh);
-void ipoib_neigh_free(struct ipoib_neigh *neigh);
+void ipoib_neigh_free(struct net_dev *dev, struct ipoib_neigh *neigh);
extern struct workqueue_struct *ipoib_workqueue;
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 1eaf00e..ac7e421 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -262,7 +264,7 @@ static void path_free(struct net_device
if (neigh->ah)
ipoib_put_ah(neigh->ah);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
}
spin_unlock_irqrestore(&priv->lock, flags);
@@ -517,9 +516,10 @@ static void neigh_add_path(struct sk_buf
} else {
neigh->ah = NULL;
- __skb_queue_tail(&neigh->queue, skb);
if (!path->query && path_rec_start(dev, path))
goto err_list;
+
+ __skb_queue_tail(&neigh->queue, skb);
}
spin_unlock(&priv->lock);
@@ -537,7 +533,7 @@ err_list:
list_del(&neigh->list);
err_path:
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
++priv->stats.tx_dropped;
dev_kfree_skb_any(skb);
@@ -655,9 +650,9 @@ static int ipoib_start_xmit(struct sk_bu
*/
ipoib_put_ah(neigh->ah);
list_del(&neigh->list);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
spin_unlock(&priv->lock);
ipoib_path_lookup(skb, dev);
goto out;
}
@@ -787,7 +781,7 @@ static void ipoib_neigh_destructor(struc
if (neigh->ah)
ah = neigh->ah;
list_del(&neigh->list);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
}
spin_unlock_irqrestore(&priv->lock, flags);
@@ -810,9 +804,15 @@ struct ipoib_neigh *ipoib_neigh_alloc(st
return neigh;
}
-void ipoib_neigh_free(struct ipoib_neigh *neigh)
+void ipoib_neigh_free(struct net_device *dev, struct ipoib_neigh *neigh)
{
+ struct ipoib_dev_priv *priv = netdev_priv(dev);
+ struct sk_buff *skb;
*to_ipoib_neigh(neigh->neighbour) = NULL;
+ while ((skb = __skb_dequeue(&neigh->queue))) {
+ ++priv->stats.tx_dropped;
+ dev_kfree_skb_any(skb);
+ }
kfree(neigh);
}
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index 3faa182..d282d65 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -114,7 +114,7 @@ static void ipoib_mcast_free(struct ipoi
*/
if (neigh->ah)
ipoib_put_ah(neigh->ah);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
}
spin_unlock_irqrestore(&priv->lock, flags);
--
MST
More information about the general
mailing list