Re: [PATCH] can: kvaser_usb: Don't free packets when tight on URBs
On Thu, Jan 01, 2015 at 01:59:13PM -0800, Stephen Hemminger wrote:
> On Tue, 23 Dec 2014 17:46:54 +0200
> "Ahmed S. Darwish" wrote:
>
> > int ret = NETDEV_TX_OK;
> > + bool kfree_skb_on_error = true;
> >
> > if (can_dropped_invalid_skb(netdev, skb))
> > return NETDEV_TX_OK;
> > @@ -1336,6 +1337,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct
> > sk_buff *skb,
> >
> > if (!context) {
> > netdev_warn(netdev, "cannot find free context\n");
> > + kfree_skb_on_error = false;
> > ret = NETDEV_TX_BUSY;
>
> You already have a flag value (ret == NETDEV_TX_BUSY), why
> not use that instead of introducing another variable?
Yes, that variable got implicitly removed in v2 patch 1/4.
Thanks,
--
Darwish
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] can: kvaser_usb: Don't free packets when tight on URBs
On Tue, 23 Dec 2014 17:46:54 +0200
"Ahmed S. Darwish" wrote:
> int ret = NETDEV_TX_OK;
> + bool kfree_skb_on_error = true;
>
> if (can_dropped_invalid_skb(netdev, skb))
> return NETDEV_TX_OK;
> @@ -1336,6 +1337,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct sk_buff
> *skb,
>
> if (!context) {
> netdev_warn(netdev, "cannot find free context\n");
> + kfree_skb_on_error = false;
> ret = NETDEV_TX_BUSY;
You already have a flag value (ret == NETDEV_TX_BUSY), why
not use that instead of introducing another variable?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] can: kvaser_usb: Don't free packets when tight on URBs
Hi Olivier,
On Wed, Dec 24, 2014 at 01:31:20PM +0100, Olivier Sobrie wrote:
> Hello Ahmed,
>
> On Tue, Dec 23, 2014 at 05:46:54PM +0200, Ahmed S. Darwish wrote:
> > From: Ahmed S. Darwish
> >
> > Flooding the Kvaser CAN to USB dongle with multiple reads and
> > writes in high frequency caused seemingly-random panics in the
> > kernel.
> >
> > On further inspection, it seems the driver erroneously freed the
> > to-be-transmitted packet upon getting tight on URBs and returning
> > NETDEV_TX_BUSY, leading to invalid memory writes and double frees
> > at a later point in time.
> >
> > Signed-off-by: Ahmed S. Darwish
>
> Thank you for the fix.
>
> > ---
> > drivers/net/can/usb/kvaser_usb.c | 8 +---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > (Generated over 3.19.0-rc1)
> >
> > diff --git a/drivers/net/can/usb/kvaser_usb.c
> > b/drivers/net/can/usb/kvaser_usb.c
> > index 541fb7a..34c35d8 100644
> > --- a/drivers/net/can/usb/kvaser_usb.c
> > +++ b/drivers/net/can/usb/kvaser_usb.c
> > @@ -1286,6 +1286,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct
> > sk_buff *skb,
> > struct kvaser_msg *msg;
> > int i, err;
> > int ret = NETDEV_TX_OK;
> > + bool kfree_skb_on_error = true;
> >
> > if (can_dropped_invalid_skb(netdev, skb))
> > return NETDEV_TX_OK;
> > @@ -1336,6 +1337,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct
> > sk_buff *skb,
> >
> > if (!context) {
> > netdev_warn(netdev, "cannot find free context\n");
> > + kfree_skb_on_error = false;
>
> Instead of using an extra variable, you can also set skb to NULL here.
> Or maybe better, you can move the dev_kfree_skb() in the two previous
> tests (in the check of variables urb and buf).
>
Nice, I'll move dev_kfree_skb() to the two earlier tests then.
Thanks,
P.S. mailer and patch identation; had to manually fix them
before replying (but thanks for the quick review, ofc ;-))
> Thank you,
>
> Olivier
>
> > ret = NETDEV_TX_BUSY;
> > goto releasebuf;
> > }
> > @@ -1364,8 +1366,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct
> > sk_buff *skb,
> > if (unlikely(err)) {
> > can_free_echo_skb(netdev, context->echo_index);
> >
> > - skb = NULL; /* set to NULL to avoid double free in
> > -* dev_kfree_skb(skb) */
> > + kfree_skb_on_error = false;
> >
> > atomic_dec(&priv->active_tx_urbs);
> > usb_unanchor_urb(urb);
> > @@ -1389,7 +1390,8 @@ releasebuf:
> > nobufmem:
> > usb_free_urb(urb);
> > nourbmem:
> > - dev_kfree_skb(skb);
> > + if (kfree_skb_on_error)
> > + dev_kfree_skb(skb);
> > return ret;
> > }
> >
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] can: kvaser_usb: Don't free packets when tight on URBs
Hello Ahmed,
On Tue, Dec 23, 2014 at 05:46:54PM +0200, Ahmed S. Darwish wrote:
> From: Ahmed S. Darwish
>
> Flooding the Kvaser CAN to USB dongle with multiple reads and
> writes in high frequency caused seemingly-random panics in the
> kernel.
>
> On further inspection, it seems the driver erroneously freed the
> to-be-transmitted packet upon getting tight on URBs and returning
> NETDEV_TX_BUSY, leading to invalid memory writes and double frees
> at a later point in time.
>
> Signed-off-by: Ahmed S. Darwish
Thank you for the fix.
> ---
> drivers/net/can/usb/kvaser_usb.c | 8 +---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> (Generated over 3.19.0-rc1)
>
> diff --git a/drivers/net/can/usb/kvaser_usb.c
> b/drivers/net/can/usb/kvaser_usb.c
> index 541fb7a..34c35d8 100644
> --- a/drivers/net/can/usb/kvaser_usb.c
> +++ b/drivers/net/can/usb/kvaser_usb.c
> @@ -1286,6 +1286,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct sk_buff
> *skb,
> struct kvaser_msg *msg;
> int i, err;
> int ret = NETDEV_TX_OK;
> + bool kfree_skb_on_error = true;
>
> if (can_dropped_invalid_skb(netdev, skb))
> return NETDEV_TX_OK;
> @@ -1336,6 +1337,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct sk_buff
> *skb,
>
> if (!context) {
> netdev_warn(netdev, "cannot find free context\n");
> + kfree_skb_on_error = false;
Instead of using an extra variable, you can also set skb to NULL here.
Or maybe better, you can move the dev_kfree_skb() in the two previous
tests (in the check of variables urb and buf).
Thank you,
Olivier
> ret = NETDEV_TX_BUSY;
> goto releasebuf;
> }
> @@ -1364,8 +1366,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct sk_buff
> *skb,
> if (unlikely(err)) {
> can_free_echo_skb(netdev, context->echo_index);
>
> - skb = NULL; /* set to NULL to avoid double free in
> - * dev_kfree_skb(skb) */
> + kfree_skb_on_error = false;
>
> atomic_dec(&priv->active_tx_urbs);
> usb_unanchor_urb(urb);
> @@ -1389,7 +1390,8 @@ releasebuf:
> nobufmem:
> usb_free_urb(urb);
> nourbmem:
> - dev_kfree_skb(skb);
> + if (kfree_skb_on_error)
> + dev_kfree_skb(skb);
> return ret;
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] can: kvaser_usb: Don't free packets when tight on URBs
From: Ahmed S. Darwish
Flooding the Kvaser CAN to USB dongle with multiple reads and
writes in high frequency caused seemingly-random panics in the
kernel.
On further inspection, it seems the driver erroneously freed the
to-be-transmitted packet upon getting tight on URBs and returning
NETDEV_TX_BUSY, leading to invalid memory writes and double frees
at a later point in time.
Signed-off-by: Ahmed S. Darwish
---
drivers/net/can/usb/kvaser_usb.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
(Generated over 3.19.0-rc1)
diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c
index 541fb7a..34c35d8 100644
--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1286,6 +1286,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct sk_buff
*skb,
struct kvaser_msg *msg;
int i, err;
int ret = NETDEV_TX_OK;
+ bool kfree_skb_on_error = true;
if (can_dropped_invalid_skb(netdev, skb))
return NETDEV_TX_OK;
@@ -1336,6 +1337,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct sk_buff
*skb,
if (!context) {
netdev_warn(netdev, "cannot find free context\n");
+ kfree_skb_on_error = false;
ret = NETDEV_TX_BUSY;
goto releasebuf;
}
@@ -1364,8 +1366,7 @@ static netdev_tx_t kvaser_usb_start_xmit(struct sk_buff
*skb,
if (unlikely(err)) {
can_free_echo_skb(netdev, context->echo_index);
- skb = NULL; /* set to NULL to avoid double free in
-* dev_kfree_skb(skb) */
+ kfree_skb_on_error = false;
atomic_dec(&priv->active_tx_urbs);
usb_unanchor_urb(urb);
@@ -1389,7 +1390,8 @@ releasebuf:
nobufmem:
usb_free_urb(urb);
nourbmem:
- dev_kfree_skb(skb);
+ if (kfree_skb_on_error)
+ dev_kfree_skb(skb);
return ret;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
