On 29.03.2021 11:02, Lv Yunlong wrote:
> In rtl8169_start_xmit, it calls rtl8169_tso_csum_v2(tp, skb, opts) and
> rtl8169_tso_csum_v2() calls __skb_put_padto(skb, padto, false). If
> __skb_put_padto() failed, it will free the skb in the first time and
> return error. Then rtl8169_start_xmit will goto err_dma_0.
>
No, the skb isn't freed here in case of error. Have a look at the
implementation of __skb_put_padto() and see also cc6528bc9a0c
("r8169: fix potential skb double free in an error path").
> But in err_dma_0 label, the skb is freed by dev_kfree_skb_any(skb) in
> the second time.
>
> My patch adds a new label inside the old err_dma_0 label to avoid the
> double free and renames the error labels to keep the origin function
> unchanged.
>
> Fixes: b8447abc4c8fb ("r8169: factor out rtl8169_tx_map")
> Signed-off-by: Lv Yunlong <lyl2...@mail.ustc.edu.cn>
> ---
> drivers/net/ethernet/realtek/r8169_main.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/ethernet/realtek/r8169_main.c
> b/drivers/net/ethernet/realtek/r8169_main.c
> index f704da3f214c..91c43399712b 100644
> --- a/drivers/net/ethernet/realtek/r8169_main.c
> +++ b/drivers/net/ethernet/realtek/r8169_main.c
> @@ -4217,13 +4217,13 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff
> *skb,
>
> if (unlikely(rtl8169_tx_map(tp, opts, skb_headlen(skb), skb->data,
> entry, false)))
> - goto err_dma_0;
> + goto err_dma_1;
>
> txd_first = tp->TxDescArray + entry;
>
> if (frags) {
> if (rtl8169_xmit_frags(tp, skb, opts, entry))
> - goto err_dma_1;
> + goto err_dma_2;
> entry = (entry + frags) % NUM_TX_DESC;
> }
>
> @@ -4270,10 +4270,11 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff
> *skb,
>
> return NETDEV_TX_OK;
>
> -err_dma_1:
> +err_dma_2:
> rtl8169_unmap_tx_skb(tp, entry);
> -err_dma_0:
> +err_dma_1:
> dev_kfree_skb_any(skb);
> +err_dma_0:
> dev->stats.tx_dropped++;
> return NETDEV_TX_OK;
>
>
