[bug report] net: ipv4: listified version of ip_rcv

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Edward Cree,

The patch 7da517a3bc52: "net: core: Another step of skb receive list
processing" from Jul 2, 2018, leads to the following static checker
warning:

	net/core/dev.c:5001 netif_receive_skb_list_internal()
	warn: 'skb' was already freed.

The patch 17266ee93984: "net: ipv4: listified version of ip_rcv" from
Jul 2, 2018, leads to the following static checker warning:

	./include/linux/netfilter.h:301 NF_HOOK_LIST()
	warn: 'skb' was already freed.

net/core/dev.c
  4982  static void netif_receive_skb_list_internal(struct list_head *head)
  4983  {
  4984          struct bpf_prog *xdp_prog = NULL;
  4985          struct sk_buff *skb, *next;
  4986  
  4987          list_for_each_entry_safe(skb, next, head, list) {
  4988                  net_timestamp_check(netdev_tstamp_prequeue, skb);
  4989                  if (skb_defer_rx_timestamp(skb))
  4990                          /* Handled, remove from list */
  4991                          list_del(&skb->list);
  4992          }
  4993  
  4994          if (static_branch_unlikely(&generic_xdp_needed_key)) {
  4995                  preempt_disable();
  4996                  rcu_read_lock();
  4997                  list_for_each_entry_safe(skb, next, head, list) {
  4998                          xdp_prog = rcu_dereference(skb->dev->xdp_prog);
  4999                          if (do_xdp_generic(xdp_prog, skb) != XDP_PASS)
  5000                                  /* Dropped, remove from list */
  5001                                  list_del(&skb->list);

do_xdp_generic() frees skb.

  5002                  }
  5003                  rcu_read_unlock();
  5004                  preempt_enable();
  5005          }

./include/linux/netfilter.h
   291  static inline void
   292  NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
   293               struct list_head *head, struct net_device *in, struct net_device *out,
   294               int (*okfn)(struct net *, struct sock *, struct sk_buff *))
   295  {
   296          struct sk_buff *skb, *next;
   297  
   298          list_for_each_entry_safe(skb, next, head, list) {
   299                  int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn);
   300                  if (ret != 1)
   301                          list_del(&skb->list);

For this one Smatch thinks that nf_hook() sometimes frees skb, but the
code is less clear to me than for the previous warning so I don't know.

   302          }
   303  }

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux