| Message ID | 20220822025346.3758558-1-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d5485d9dd24e1d04e5509916515260186eb1455c |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net,v2,RESEND] net: neigh: don't call kfree_skb() under spin_lock_irqsave() | expand |
On 22/08/2022 05:53, Yang Yingliang wrote: > It is not allowed to call kfree_skb() from hardware interrupt > context or with interrupts being disabled. So add all skb to > a tmp list, then free them after spin_unlock_irqrestore() at > once. > > Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop") > Suggested-by: Denis V. Lunev <den@openvz.org> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > v2: > move all skb to a tmp list, then free them after spin_unlock_irqrestore(). > --- > net/core/neighbour.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > LGTM, Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Mon, 22 Aug 2022 10:53:46 +0800 you wrote: > It is not allowed to call kfree_skb() from hardware interrupt > context or with interrupts being disabled. So add all skb to > a tmp list, then free them after spin_unlock_irqrestore() at > once. > > Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop") > Suggested-by: Denis V. Lunev <den@openvz.org> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > > [...] Here is the summary with links: - [net,v2,RESEND] net: neigh: don't call kfree_skb() under spin_lock_irqsave() https://git.kernel.org/netdev/net/c/d5485d9dd24e You are awesome, thank you!
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 5b669eb80270..78cc8fb68814 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -309,14 +309,17 @@ static int neigh_del_timer(struct neighbour *n) static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net) { + struct sk_buff_head tmp; unsigned long flags; struct sk_buff *skb; + skb_queue_head_init(&tmp); spin_lock_irqsave(&list->lock, flags); skb = skb_peek(list); while (skb != NULL) { struct sk_buff *skb_next = skb_peek_next(skb, list); struct net_device *dev = skb->dev; + if (net == NULL || net_eq(dev_net(dev), net)) { struct in_device *in_dev; @@ -326,13 +329,16 @@ static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net) in_dev->arp_parms->qlen--; rcu_read_unlock(); __skb_unlink(skb, list); - - dev_put(dev); - kfree_skb(skb); + __skb_queue_tail(&tmp, skb); } skb = skb_next; } spin_unlock_irqrestore(&list->lock, flags); + + while ((skb = __skb_dequeue(&tmp))) { + dev_put(skb->dev); + kfree_skb(skb); + } } static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So add all skb to a tmp list, then free them after spin_unlock_irqrestore() at once. Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop") Suggested-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- v2: move all skb to a tmp list, then free them after spin_unlock_irqrestore(). --- net/core/neighbour.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)