| From foo@baz Sat Jan 26 10:22:50 CET 2019 |
| From: Willem de Bruijn <willemb@google.com> |
| Date: Tue, 15 Jan 2019 11:40:02 -0500 |
| Subject: udp: with udp_segment release on error path |
| |
| From: Willem de Bruijn <willemb@google.com> |
| |
| [ Upstream commit 0f149c9fec3cd720628ecde83bfc6f64c1e7dcb6 ] |
| |
| Failure __ip_append_data triggers udp_flush_pending_frames, but these |
| tests happen later. The skb must be freed directly. |
| |
| Fixes: bec1f6f697362 ("udp: generate gso with UDP_SEGMENT") |
| Reported-by: Eric Dumazet <edumazet@google.com> |
| Signed-off-by: Willem de Bruijn <willemb@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv4/udp.c | 16 ++++++++++++---- |
| net/ipv6/udp.c | 16 ++++++++++++---- |
| 2 files changed, 24 insertions(+), 8 deletions(-) |
| |
| --- a/net/ipv4/udp.c |
| +++ b/net/ipv4/udp.c |
| @@ -785,15 +785,23 @@ static int udp_send_skb(struct sk_buff * |
| const int hlen = skb_network_header_len(skb) + |
| sizeof(struct udphdr); |
| |
| - if (hlen + cork->gso_size > cork->fragsize) |
| + if (hlen + cork->gso_size > cork->fragsize) { |
| + kfree_skb(skb); |
| return -EINVAL; |
| - if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) |
| + } |
| + if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) { |
| + kfree_skb(skb); |
| return -EINVAL; |
| - if (sk->sk_no_check_tx) |
| + } |
| + if (sk->sk_no_check_tx) { |
| + kfree_skb(skb); |
| return -EINVAL; |
| + } |
| if (skb->ip_summed != CHECKSUM_PARTIAL || is_udplite || |
| - dst_xfrm(skb_dst(skb))) |
| + dst_xfrm(skb_dst(skb))) { |
| + kfree_skb(skb); |
| return -EIO; |
| + } |
| |
| skb_shinfo(skb)->gso_size = cork->gso_size; |
| skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; |
| --- a/net/ipv6/udp.c |
| +++ b/net/ipv6/udp.c |
| @@ -1056,15 +1056,23 @@ static int udp_v6_send_skb(struct sk_buf |
| const int hlen = skb_network_header_len(skb) + |
| sizeof(struct udphdr); |
| |
| - if (hlen + cork->gso_size > cork->fragsize) |
| + if (hlen + cork->gso_size > cork->fragsize) { |
| + kfree_skb(skb); |
| return -EINVAL; |
| - if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) |
| + } |
| + if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) { |
| + kfree_skb(skb); |
| return -EINVAL; |
| - if (udp_sk(sk)->no_check6_tx) |
| + } |
| + if (udp_sk(sk)->no_check6_tx) { |
| + kfree_skb(skb); |
| return -EINVAL; |
| + } |
| if (skb->ip_summed != CHECKSUM_PARTIAL || is_udplite || |
| - dst_xfrm(skb_dst(skb))) |
| + dst_xfrm(skb_dst(skb))) { |
| + kfree_skb(skb); |
| return -EIO; |
| + } |
| |
| skb_shinfo(skb)->gso_size = cork->gso_size; |
| skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; |