Re: [REGRESSION] 362899b ("macvtap: switch to use skb array") causes oops during teardown

Cornelia Huck Thu, 11 Aug 2016 01:16:18 -0700

On Thu, 11 Aug 2016 15:49:12 +0800
Jason Wang <jasow...@redhat.com> wrote:


> This looks like a use-after-free. Could you pls try the following patch 
> to see it if fixes your issue?
> 
> diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
> index a38c0da..070e329 100644
> --- a/drivers/net/macvtap.c
> +++ b/drivers/net/macvtap.c
> @@ -275,7 +275,6 @@ static void macvtap_put_queue(struct macvtap_queue *q)
>          rtnl_unlock();
> 
>          synchronize_rcu();
> -       skb_array_cleanup(&q->skb_array);
>          sock_put(&q->sk);
>   }
> 
> @@ -533,10 +532,8 @@ static void macvtap_sock_write_space(struct sock *sk)
>   static void macvtap_sock_destruct(struct sock *sk)
>   {
>          struct macvtap_queue *q = container_of(sk, struct 
> macvtap_queue, sk);
> -       struct sk_buff *skb;
> 
> -       while ((skb = skb_array_consume(&q->skb_array)) != NULL)
> -               kfree_skb(skb);
> +       skb_array_cleanup(&q->skb_array);
>   }
> 
>   static int macvtap_open(struct inode *inode, struct file *file)

Yes, that change fixes things for me.

Tested-by: Cornelia Huck <cornelia.h...@de.ibm.com>

Thanks for the quick reply!

Re: [REGRESSION] 362899b ("macvtap: switch to use skb array") causes oops during teardown

Reply via email to