Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e7820e39 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

net: Revert "net: avoid one atomic operation in skb_clone()" 



Not sure what I was thinking, but doing anything after
releasing a refcount is suicidal or/and embarrassing.

By the time we set skb->fclone to SKB_FCLONE_FREE, another cpu
could have released last reference and freed whole skb.

We potentially corrupt memory or trap if CONFIG_DEBUG_PAGEALLOC is set.

Reported-by: default avatarChris Mason <clm@fb.com>
Fixes: ce1a4ea3 ("net: avoid one atomic operation in skb_clone()")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 892d6eb1

net/core/skbuff.c

+6 −17
Original line number Diff line number Diff line
@@ -552,20 +552,13 @@ static void kfree_skbmem(struct sk_buff *skb) 
	case SKB_FCLONE_CLONE:

		fclones = container_of(skb, struct sk_buff_fclones, skb2);



		/* Warning : We must perform the atomic_dec_and_test() before

		 * setting skb->fclone back to SKB_FCLONE_FREE, otherwise

		 * skb_clone() could set clone_ref to 2 before our decrement.

		 * Anyway, if we are going to free the structure, no need to

		 * rewrite skb->fclone.

		 */

		if (atomic_dec_and_test(&fclones->fclone_ref)) {

			kmem_cache_free(skbuff_fclone_cache, fclones);

		} else {

		/* The clone portion is available for

		 * fast-cloning again.

		 */

		skb->fclone = SKB_FCLONE_FREE;

		}



		if (atomic_dec_and_test(&fclones->fclone_ref))

			kmem_cache_free(skbuff_fclone_cache, fclones);

		break;

	}

}
@@ -887,11 +880,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask) 
	if (skb->fclone == SKB_FCLONE_ORIG &&

	    n->fclone == SKB_FCLONE_FREE) {

		n->fclone = SKB_FCLONE_CLONE;

		/* As our fastclone was free, clone_ref must be 1 at this point.

		 * We could use atomic_inc() here, but it is faster

		 * to set the final value.

		 */

		atomic_set(&fclones->fclone_ref, 2);

		atomic_inc(&fclones->fclone_ref);

	} else {

		if (skb_pfmemalloc(skb))

			gfp_mask |= __GFP_MEMALLOC;