When err is zero but xskq_prod_reserve() fails, no error return code of
xsk_generic_xmit() is assigned.
To fix this bug, err is assigned with the return value of
xskq_prod_reserve(), and then err is checked.
The spinlock is only used to protect the call to xskq_prod_reserve().
Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>
Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>
---
net/xdp/xsk.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 4faabd1ecfd1..f1c1db07dd07 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -484,8 +484,14 @@ static int xsk_generic_xmit(struct sock *sk)
* if there is space in it. This avoids having to implement
* any buffering in the Tx path.
*/
+ if (unlikely(err)) {
+ kfree_skb(skb);
+ goto out;
+ }
+
spin_lock_irqsave(&xs->pool->cq_lock, flags);
- if (unlikely(err) || xskq_prod_reserve(xs->pool->cq)) {
+ err = xskq_prod_reserve(xs->pool->cq);
+ if (unlikely(err)) {
spin_unlock_irqrestore(&xs->pool->cq_lock, flags);
kfree_skb(skb);
goto out;
--
2.17.1
