mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path

There is a possible issue with the use, or lack thereof of sk_refcnt and sk_wmem_alloc in the wifi ack status functionality. Specifically if a socket were to request acknowledgements, and the socket were to have sk_refcnt drop to 0 resulting in it waiting on sk_wmem_alloc to reach 0 it would be possible to have sock_queue_err_skb orphan the last buffer, resulting in __sk_free being called on the socket. After this the buffer is enqueued on sk_error_queue, however the queue has already been flushed resulting in at least a memory leak, if not a data corruption. Signed-off-by: N Alexander Duyck <alexander.h.duyck@intel.com> Acked-by: N Johannes Berg <johannes@sipsolutions.net> Signed-off-by: N David S. Miller <davem@davemloft.net>

mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path
There is a possible issue with the use, or lack thereof of sk_refcnt and sk_wmem_alloc in the wifi ack status functionality. Specifically if a socket were to request acknowledgements, and the socket were to have sk_refcnt drop to 0 resulting in it waiting on sk_wmem_alloc to reach 0 it would be possible to have sock_queue_err_skb orphan the last buffer, resulting in __sk_free being called on the socket. After this the buffer is enqueued on sk_error_queue, however the queue has already been flushed resulting in at least a memory leak, if not a data corruption. Signed-off-by: N Alexander Duyck <alexander.h.duyck@intel.com> Acked-by: N Johannes Berg <johannes@sipsolutions.net> Signed-off-by: N David S. Miller <davem@davemloft.net>
bf7fa551 · Alexander Duyck · David S. Miller · cab41c47 · bf7fa551 · bf7fa551
隐藏空白更改
内联并排

Showing with 9 addition and 11 deletion

net/core/skbuff.c net/core/skbuff.c +5 -0

net/mac80211/tx.c net/mac80211/tx.c +4 -11

未找到文件。
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3628,9 +3628,14 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
 	serr->ee.ee_errno = ENOMSG;
 	serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS;
+	/* take a reference to prevent skb_orphan() from freeing the socket */
+	sock_hold(sk);
 	err = sock_queue_err_skb(sk, skb);
 	if (err)
 		kfree_skb(skb);
+	sock_put(sk);
 }
 EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2072,30 +2072,23 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
 	if (unlikely(!multicast && skb->sk &&
 		     skb_shinfo(skb)->tx_flags & SKBTX_WIFI_STATUS)) {
-		struct sk_buff *orig_skb = skb;
+		struct sk_buff *ack_skb = skb_clone_sk(skb);
-		skb = skb_clone(skb, GFP_ATOMIC);
+		if (ack_skb) {
-		if (skb) {
 			unsigned long flags;
 			int id;
 			spin_lock_irqsave(&local->ack_status_lock, flags);
-			id = idr_alloc(&local->ack_status_frames, orig_skb,
+			id = idr_alloc(&local->ack_status_frames, ack_skb,
 				       1, 0x10000, GFP_ATOMIC);
 			spin_unlock_irqrestore(&local->ack_status_lock, flags);
 			if (id >= 0) {
 				info_id = id;
 				info_flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
-			} else if (skb_shared(skb)) {
-				kfree_skb(orig_skb);
 			} else {
-				kfree_skb(skb);
+				kfree_skb(ack_skb);
-				skb = orig_skb;
 			}
-		} else {
-			/* couldn't clone -- lose tx status ... */
-			skb = orig_skb;
 		}
 	}