From: Florian Fainelli <f.faine...@gmail.com>
Date: Mon, 21 Aug 2017 12:41:31 -0700
> skb_put_padto() already frees the passed sk_buff reference upon error,
> so calling kfree_skb() on it again is not necessary.
>
> Detected by CoverityScan, CID#1416687 ("USE_AFTER_FREE")
>
> Fixes: e71cb9e00922 ("net: dsa: ksz: fix skb freeing")
> Signed-off-by: Florian Fainelli <f.faine...@gmail.com>
I know it seems like a lot of work, but with appropriate wrappers we
can control the freeing that skb_pad() does at the deepest part of
this call chain.
int __skb_pad(struct sk_buff *skb, int pad, bool free_skb_on_err);
static inline int skb_pad(struct sk_buff *skb, int pad)
{
return __skb_pad(skb, pad, true);
}
static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len,
bool free_skb_on_err)
{
unsigned int size = skb->len;
if (unlikely(size < len)) {
len -= size;
if (__skb_pad(skb, len, free_skb_on_err))
return -ENOMEM;
__skb_put(skb, len);
}
return 0;
}
static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
{
return __skb_put_padto(skb, len, true);
}
And then here in the ksz_xmit() code, invoke __skb_put_padto() with the
boolean set appropriately.
