* [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression.
@ 2014-11-04 21:36 Martin Townsend
2014-11-05 21:01 ` Alexander Aring
2014-11-06 10:34 ` Jukka Rissanen
0 siblings, 2 replies; 6+ messages in thread
From: Martin Townsend @ 2014-11-04 21:36 UTC (permalink / raw
To: linux-wpan, linux-bluetooth
Cc: alex.aring, jukka.rissanen, marcel, Martin Townsend
Currently we ensure that the skb is freed on every error path in IPHC
decompression which makes it easy to introduce skb leaks. By centralising
the skb_free into the receive function it makes future decompression routines
easier to maintain. It does come at the expense of ensuring that the skb
passed into the decompression routine must not be copied.
Signed-off-by: Martin Townsend <mtownsend1973@gmail.com>
---
net/6lowpan/iphc.c | 31 ++++++++++++-------------------
net/bluetooth/6lowpan.c | 15 +++++++--------
net/ieee802154/6lowpan_rtnl.c | 16 ++++++----------
3 files changed, 25 insertions(+), 37 deletions(-)
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index 73a7065..73b047c 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -319,7 +319,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
if (iphc1 & LOWPAN_IPHC_CID) {
pr_debug("CID flag is set, increase header with one\n");
if (lowpan_fetch_skb(skb, &num_context, sizeof(num_context)))
- goto drop;
+ return -EINVAL;
}
hdr.version = 6;
@@ -331,7 +331,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
*/
case 0: /* 00b */
if (lowpan_fetch_skb(skb, &tmp, sizeof(tmp)))
- goto drop;
+ return -EINVAL;
memcpy(&hdr.flow_lbl, &skb->data[0], 3);
skb_pull(skb, 3);
@@ -344,7 +344,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
*/
case 2: /* 10b */
if (lowpan_fetch_skb(skb, &tmp, sizeof(tmp)))
- goto drop;
+ return -EINVAL;
hdr.priority = ((tmp >> 2) & 0x0f);
hdr.flow_lbl[0] = ((tmp << 6) & 0xC0) | ((tmp >> 2) & 0x30);
@@ -354,7 +354,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
*/
case 1: /* 01b */
if (lowpan_fetch_skb(skb, &tmp, sizeof(tmp)))
- goto drop;
+ return -EINVAL;
hdr.flow_lbl[0] = (skb->data[0] & 0x0F) | ((tmp >> 2) & 0x30);
memcpy(&hdr.flow_lbl[1], &skb->data[0], 2);
@@ -371,7 +371,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
if ((iphc0 & LOWPAN_IPHC_NH_C) == 0) {
/* Next header is carried inline */
if (lowpan_fetch_skb(skb, &hdr.nexthdr, sizeof(hdr.nexthdr)))
- goto drop;
+ return -EINVAL;
pr_debug("NH flag is set, next header carried inline: %02x\n",
hdr.nexthdr);
@@ -383,7 +383,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
} else {
if (lowpan_fetch_skb(skb, &hdr.hop_limit,
sizeof(hdr.hop_limit)))
- goto drop;
+ return -EINVAL;
}
/* Extract SAM to the tmp variable */
@@ -402,7 +402,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
/* Check on error of previous branch */
if (err)
- goto drop;
+ return -EINVAL;
/* Extract DAM to the tmp variable */
tmp = ((iphc1 & LOWPAN_IPHC_DAM_11) >> LOWPAN_IPHC_DAM_BIT) & 0x03;
@@ -417,7 +417,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
tmp);
if (err)
- goto drop;
+ return -EINVAL;
}
} else {
err = uncompress_addr(skb, &hdr.daddr, tmp, daddr,
@@ -425,7 +425,7 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
pr_debug("dest: stateless compression mode %d dest %pI6c\n",
tmp, &hdr.daddr);
if (err)
- goto drop;
+ return -EINVAL;
}
/* UDP data uncompression */
@@ -434,16 +434,14 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
const int needed = sizeof(struct udphdr) + sizeof(hdr);
if (uncompress_udp_header(skb, &uh))
- goto drop;
+ return -EINVAL;
/* replace the compressed UDP head by the uncompressed UDP
* header
*/
err = skb_cow(skb, needed);
- if (unlikely(err)) {
- kfree_skb(skb);
+ if (unlikely(err))
return err;
- }
skb_push(skb, sizeof(struct udphdr));
skb_reset_transport_header(skb);
@@ -455,10 +453,8 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
hdr.nexthdr = UIP_PROTO_UDP;
} else {
err = skb_cow(skb, sizeof(hdr));
- if (unlikely(err)) {
- kfree_skb(skb);
+ if (unlikely(err))
return err;
- }
}
hdr.payload_len = htons(skb->len);
@@ -478,9 +474,6 @@ lowpan_header_decompress(struct sk_buff *skb, struct net_device *dev,
raw_dump_table(__func__, "raw header dump", (u8 *)&hdr, sizeof(hdr));
return 0;
-drop:
- kfree_skb(skb);
- return -EINVAL;
}
EXPORT_SYMBOL_GPL(lowpan_header_decompress);
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 7254bdd..ba630e3 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -294,20 +294,20 @@ static int iphc_decompress(struct sk_buff *skb, struct net_device *netdev,
peer = __peer_lookup_chan(dev, chan);
rcu_read_unlock();
if (!peer)
- goto drop;
+ return -EINVAL;
saddr = peer->eui64_addr;
daddr = dev->netdev->dev_addr;
/* at least two bytes will be used for the encoding */
if (skb->len < 2)
- goto drop;
+ return -EINVAL;
if (lowpan_fetch_skb_u8(skb, &iphc0))
- goto drop;
+ return -EINVAL;
if (lowpan_fetch_skb_u8(skb, &iphc1))
- goto drop;
+ return -EINVAL;
return lowpan_header_decompress(skb, netdev,
saddr, IEEE802154_ADDR_LONG,
@@ -315,9 +315,6 @@ static int iphc_decompress(struct sk_buff *skb, struct net_device *netdev,
IEEE802154_ADDR_LONG, EUI64_ADDR_LEN,
iphc0, iphc1);
-drop:
- kfree_skb(skb);
- return -EINVAL;
}
static int recv_pkt(struct sk_buff *skb, struct net_device *dev,
@@ -370,8 +367,10 @@ static int recv_pkt(struct sk_buff *skb, struct net_device *dev,
goto drop;
ret = iphc_decompress(local_skb, dev, chan);
- if (ret < 0)
+ if (ret < 0) {
+ kfree_skb(local_skb);
goto drop;
+ }
local_skb->protocol = htons(ETH_P_IPV6);
local_skb->pkt_type = PACKET_HOST;
diff --git a/net/ieee802154/6lowpan_rtnl.c b/net/ieee802154/6lowpan_rtnl.c
index 519a654..eb8fac5 100644
--- a/net/ieee802154/6lowpan_rtnl.c
+++ b/net/ieee802154/6lowpan_rtnl.c
@@ -176,13 +176,13 @@ iphc_decompress(struct sk_buff *skb, const struct ieee802154_hdr *hdr)
raw_dump_table(__func__, "raw skb data dump", skb->data, skb->len);
/* at least two bytes will be used for the encoding */
if (skb->len < 2)
- goto drop;
+ return -EINVAL;
if (lowpan_fetch_skb_u8(skb, &iphc0))
- goto drop;
+ return -EINVAL;
if (lowpan_fetch_skb_u8(skb, &iphc1))
- goto drop;
+ return -EINVAL;
ieee802154_addr_to_sa(&sa, &hdr->source);
ieee802154_addr_to_sa(&da, &hdr->dest);
@@ -200,10 +200,6 @@ iphc_decompress(struct sk_buff *skb, const struct ieee802154_hdr *hdr)
return lowpan_header_decompress(skb, skb->dev, sap, sa.addr_type,
IEEE802154_ADDR_LEN, dap, da.addr_type,
IEEE802154_ADDR_LEN, iphc0, iphc1);
-
-drop:
- kfree_skb(skb);
- return -EINVAL;
}
static int lowpan_set_address(struct net_device *dev, void *p)
@@ -544,7 +540,7 @@ static int lowpan_rcv(struct sk_buff *skb, struct net_device *dev,
case LOWPAN_DISPATCH_IPHC: /* ipv6 datagram */
ret = iphc_decompress(skb, &hdr);
if (ret < 0)
- goto drop;
+ goto drop_skb;
return lowpan_give_skb_to_devices(skb, NULL);
case LOWPAN_DISPATCH_FRAG1: /* first fragment header */
@@ -552,7 +548,7 @@ static int lowpan_rcv(struct sk_buff *skb, struct net_device *dev,
if (ret == 1) {
ret = iphc_decompress(skb, &hdr);
if (ret < 0)
- goto drop;
+ goto drop_skb;
return lowpan_give_skb_to_devices(skb, NULL);
} else if (ret == -1) {
@@ -565,7 +561,7 @@ static int lowpan_rcv(struct sk_buff *skb, struct net_device *dev,
if (ret == 1) {
ret = iphc_decompress(skb, &hdr);
if (ret < 0)
- goto drop;
+ goto drop_skb;
return lowpan_give_skb_to_devices(skb, NULL);
} else if (ret == -1) {
--
1.9.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression.
2014-11-04 21:36 [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression Martin Townsend
@ 2014-11-05 21:01 ` Alexander Aring
2014-11-06 8:11 ` Martin Townsend
2014-11-06 10:34 ` Jukka Rissanen
1 sibling, 1 reply; 6+ messages in thread
From: Alexander Aring @ 2014-11-05 21:01 UTC (permalink / raw
To: Martin Townsend; +Cc: linux-wpan, linux-bluetooth, jukka.rissanen, marcel
Hi Martin,
On Tue, Nov 04, 2014 at 09:36:21PM +0000, Martin Townsend wrote:
> Currently we ensure that the skb is freed on every error path in IPHC
> decompression which makes it easy to introduce skb leaks. By centralising
> the skb_free into the receive function it makes future decompression routines
> easier to maintain. It does come at the expense of ensuring that the skb
> passed into the decompression routine must not be copied.
>
I just want to give it a try and want to test it but I got a:
error: patch failed: net/ieee802154/6lowpan_rtnl.c:200
error: net/ieee802154/6lowpan_rtnl.c: patch does not apply ...
while applying.
Is the patch really based on bluetooth-next [0]? Please respin this one if
it doesn't break anything I will ack this one.
- Alex
[0] http://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-next.git
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression.
2014-11-05 21:01 ` Alexander Aring
@ 2014-11-06 8:11 ` Martin Townsend
0 siblings, 0 replies; 6+ messages in thread
From: Martin Townsend @ 2014-11-06 8:11 UTC (permalink / raw
To: Alexander Aring, Martin Townsend
Cc: linux-wpan, linux-bluetooth, jukka.rissanen, marcel
Hi Alex,
It should be based on bluetooth-next. I'll check when I get home tonight.
- Martin.
On 05/11/14 21:01, Alexander Aring wrote:
> Hi Martin,
>
> On Tue, Nov 04, 2014 at 09:36:21PM +0000, Martin Townsend wrote:
>> Currently we ensure that the skb is freed on every error path in IPHC
>> decompression which makes it easy to introduce skb leaks. By centralising
>> the skb_free into the receive function it makes future decompression routines
>> easier to maintain. It does come at the expense of ensuring that the skb
>> passed into the decompression routine must not be copied.
>>
> I just want to give it a try and want to test it but I got a:
>
> error: patch failed: net/ieee802154/6lowpan_rtnl.c:200
> error: net/ieee802154/6lowpan_rtnl.c: patch does not apply ...
>
> while applying.
>
> Is the patch really based on bluetooth-next [0]? Please respin this one if
> it doesn't break anything I will ack this one.
>
> - Alex
>
> [0] http://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-next.git
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression.
2014-11-04 21:36 [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression Martin Townsend
2014-11-05 21:01 ` Alexander Aring
@ 2014-11-06 10:34 ` Jukka Rissanen
2014-11-06 10:44 ` Martin Townsend
1 sibling, 1 reply; 6+ messages in thread
From: Jukka Rissanen @ 2014-11-06 10:34 UTC (permalink / raw
To: Martin Townsend; +Cc: linux-wpan, linux-bluetooth, alex.aring, marcel
Hi Martin,
On ti, 2014-11-04 at 21:36 +0000, Martin Townsend wrote:
> Currently we ensure that the skb is freed on every error path in IPHC
> decompression which makes it easy to introduce skb leaks. By centralising
> the skb_free into the receive function it makes future decompression routines
> easier to maintain. It does come at the expense of ensuring that the skb
> passed into the decompression routine must not be copied.
Tested this with real bluetooth hw and no issues were found. Just rebase
the patch with latest upstream (conflict had a very simple fix) so ack
with actions to v2.
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Cheers,
Jukka
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression.
2014-11-06 10:34 ` Jukka Rissanen
@ 2014-11-06 10:44 ` Martin Townsend
2014-11-06 10:47 ` Jukka Rissanen
0 siblings, 1 reply; 6+ messages in thread
From: Martin Townsend @ 2014-11-06 10:44 UTC (permalink / raw
To: Jukka Rissanen, Martin Townsend
Cc: linux-wpan, linux-bluetooth, alex.aring, marcel
Thanks for testing Jukka,
I'll respin v2 later.
Out of interest, did you have kmemleak on?
- Martin.
On 06/11/14 10:34, Jukka Rissanen wrote:
> Hi Martin,
>
> On ti, 2014-11-04 at 21:36 +0000, Martin Townsend wrote:
>> Currently we ensure that the skb is freed on every error path in IPHC
>> decompression which makes it easy to introduce skb leaks. By centralising
>> the skb_free into the receive function it makes future decompression routines
>> easier to maintain. It does come at the expense of ensuring that the skb
>> passed into the decompression routine must not be copied.
> Tested this with real bluetooth hw and no issues were found. Just rebase
> the patch with latest upstream (conflict had a very simple fix) so ack
> with actions to v2.
>
> Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
>
>
> Cheers,
> Jukka
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression.
2014-11-06 10:44 ` Martin Townsend
@ 2014-11-06 10:47 ` Jukka Rissanen
0 siblings, 0 replies; 6+ messages in thread
From: Jukka Rissanen @ 2014-11-06 10:47 UTC (permalink / raw
To: Martin Townsend
Cc: Martin Townsend, linux-wpan, linux-bluetooth, alex.aring, marcel
Hi Martin,
On to, 2014-11-06 at 10:44 +0000, Martin Townsend wrote:
> Thanks for testing Jukka,
>
> I'll respin v2 later.
> Out of interest, did you have kmemleak on?
Yes, kmemleak was on, no issues reported.
> - Martin.
>
> On 06/11/14 10:34, Jukka Rissanen wrote:
> > Hi Martin,
> >
> > On ti, 2014-11-04 at 21:36 +0000, Martin Townsend wrote:
> >> Currently we ensure that the skb is freed on every error path in IPHC
> >> decompression which makes it easy to introduce skb leaks. By centralising
> >> the skb_free into the receive function it makes future decompression routines
> >> easier to maintain. It does come at the expense of ensuring that the skb
> >> passed into the decompression routine must not be copied.
> > Tested this with real bluetooth hw and no issues were found. Just rebase
> > the patch with latest upstream (conflict had a very simple fix) so ack
> > with actions to v2.
> >
> > Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
> >
> >
Cheers,
Jukka
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-11-06 10:47 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-04 21:36 [PATCH bluetooth-next] 6lowpan: move skb_free from error paths in decompression Martin Townsend
2014-11-05 21:01 ` Alexander Aring
2014-11-06 8:11 ` Martin Townsend
2014-11-06 10:34 ` Jukka Rissanen
2014-11-06 10:44 ` Martin Townsend
2014-11-06 10:47 ` Jukka Rissanen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.