Commit 61d78537 authored by Wei Xu's avatar Wei Xu Committed by David S. Miller

tap: free skb if flags error

tap_recvmsg() supports accepting skb by msg_control after
commit 3b4ba04a ("tap: support receiving skb from msg_control"),
the skb if presented should be freed within the function, otherwise
it would be leaked.
Signed-off-by: default avatarWei Xu <wexu@redhat.com>
Reported-by: default avatarMatthew Rosato <mjrosato@linux.vnet.ibm.com>
Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c33ee15b
...@@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q, ...@@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q,
DEFINE_WAIT(wait); DEFINE_WAIT(wait);
ssize_t ret = 0; ssize_t ret = 0;
if (!iov_iter_count(to)) if (!iov_iter_count(to)) {
if (skb)
kfree_skb(skb);
return 0; return 0;
}
if (skb) if (skb)
goto put; goto put;
...@@ -1154,11 +1157,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m, ...@@ -1154,11 +1157,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m,
size_t total_len, int flags) size_t total_len, int flags)
{ {
struct tap_queue *q = container_of(sock, struct tap_queue, sock); struct tap_queue *q = container_of(sock, struct tap_queue, sock);
struct sk_buff *skb = m->msg_control;
int ret; int ret;
if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) {
if (skb)
kfree_skb(skb);
return -EINVAL; return -EINVAL;
ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, }
m->msg_control); ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, skb);
if (ret > total_len) { if (ret > total_len) {
m->msg_flags |= MSG_TRUNC; m->msg_flags |= MSG_TRUNC;
ret = flags & MSG_TRUNC ? ret : total_len; ret = flags & MSG_TRUNC ? ret : total_len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment