Commit 38dc3b5f authored by Jakub Kicinski's avatar Jakub Kicinski

Merge branch 'llc-fix-sk_buff-refcounting'

Eric Biggers says:

====================
Patches 1-2 fix the memory leaks that syzbot has reported in net/llc:

	memory leak in llc_ui_create (2)
	memory leak in llc_ui_sendmsg
	memory leak in llc_conn_ac_send_sabme_cmd_p_set_x

Patches 3-4 fix related bugs that I noticed while reading this code.

Note: I've tested that this fixes the syzbot bugs, but otherwise I don't
know of any way to test this code.
====================
Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
parents 503c9add 36453c85
...@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk); ...@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk);
/* Access to a connection */ /* Access to a connection */
int llc_conn_state_process(struct sock *sk, struct sk_buff *skb); int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb); void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit); void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit); void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
......
...@@ -113,22 +113,26 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr) ...@@ -113,22 +113,26 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr)
* *
* Send data via reliable llc2 connection. * Send data via reliable llc2 connection.
* Returns 0 upon success, non-zero if action did not succeed. * Returns 0 upon success, non-zero if action did not succeed.
*
* This function always consumes a reference to the skb.
*/ */
static int llc_ui_send_data(struct sock* sk, struct sk_buff *skb, int noblock) static int llc_ui_send_data(struct sock* sk, struct sk_buff *skb, int noblock)
{ {
struct llc_sock* llc = llc_sk(sk); struct llc_sock* llc = llc_sk(sk);
int rc = 0;
if (unlikely(llc_data_accept_state(llc->state) || if (unlikely(llc_data_accept_state(llc->state) ||
llc->remote_busy_flag || llc->remote_busy_flag ||
llc->p_flag)) { llc->p_flag)) {
long timeout = sock_sndtimeo(sk, noblock); long timeout = sock_sndtimeo(sk, noblock);
int rc;
rc = llc_ui_wait_for_busy_core(sk, timeout); rc = llc_ui_wait_for_busy_core(sk, timeout);
} if (rc) {
if (unlikely(!rc)) kfree_skb(skb);
rc = llc_build_and_send_pkt(sk, skb);
return rc; return rc;
}
}
return llc_build_and_send_pkt(sk, skb);
} }
static void llc_ui_sk_init(struct socket *sock, struct sock *sk) static void llc_ui_sk_init(struct socket *sock, struct sock *sk)
...@@ -899,7 +903,7 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) ...@@ -899,7 +903,7 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
DECLARE_SOCKADDR(struct sockaddr_llc *, addr, msg->msg_name); DECLARE_SOCKADDR(struct sockaddr_llc *, addr, msg->msg_name);
int flags = msg->msg_flags; int flags = msg->msg_flags;
int noblock = flags & MSG_DONTWAIT; int noblock = flags & MSG_DONTWAIT;
struct sk_buff *skb; struct sk_buff *skb = NULL;
size_t size = 0; size_t size = 0;
int rc = -EINVAL, copied = 0, hdrlen; int rc = -EINVAL, copied = 0, hdrlen;
...@@ -908,10 +912,10 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) ...@@ -908,10 +912,10 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
lock_sock(sk); lock_sock(sk);
if (addr) { if (addr) {
if (msg->msg_namelen < sizeof(*addr)) if (msg->msg_namelen < sizeof(*addr))
goto release; goto out;
} else { } else {
if (llc_ui_addr_null(&llc->addr)) if (llc_ui_addr_null(&llc->addr))
goto release; goto out;
addr = &llc->addr; addr = &llc->addr;
} }
/* must bind connection to sap if user hasn't done it. */ /* must bind connection to sap if user hasn't done it. */
...@@ -919,7 +923,7 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) ...@@ -919,7 +923,7 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
/* bind to sap with null dev, exclusive. */ /* bind to sap with null dev, exclusive. */
rc = llc_ui_autobind(sock, addr); rc = llc_ui_autobind(sock, addr);
if (rc) if (rc)
goto release; goto out;
} }
hdrlen = llc->dev->hard_header_len + llc_ui_header_len(sk, addr); hdrlen = llc->dev->hard_header_len + llc_ui_header_len(sk, addr);
size = hdrlen + len; size = hdrlen + len;
...@@ -928,12 +932,12 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) ...@@ -928,12 +932,12 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
copied = size - hdrlen; copied = size - hdrlen;
rc = -EINVAL; rc = -EINVAL;
if (copied < 0) if (copied < 0)
goto release; goto out;
release_sock(sk); release_sock(sk);
skb = sock_alloc_send_skb(sk, size, noblock, &rc); skb = sock_alloc_send_skb(sk, size, noblock, &rc);
lock_sock(sk); lock_sock(sk);
if (!skb) if (!skb)
goto release; goto out;
skb->dev = llc->dev; skb->dev = llc->dev;
skb->protocol = llc_proto_type(addr->sllc_arphrd); skb->protocol = llc_proto_type(addr->sllc_arphrd);
skb_reserve(skb, hdrlen); skb_reserve(skb, hdrlen);
...@@ -943,29 +947,31 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) ...@@ -943,29 +947,31 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
if (sk->sk_type == SOCK_DGRAM || addr->sllc_ua) { if (sk->sk_type == SOCK_DGRAM || addr->sllc_ua) {
llc_build_and_send_ui_pkt(llc->sap, skb, addr->sllc_mac, llc_build_and_send_ui_pkt(llc->sap, skb, addr->sllc_mac,
addr->sllc_sap); addr->sllc_sap);
skb = NULL;
goto out; goto out;
} }
if (addr->sllc_test) { if (addr->sllc_test) {
llc_build_and_send_test_pkt(llc->sap, skb, addr->sllc_mac, llc_build_and_send_test_pkt(llc->sap, skb, addr->sllc_mac,
addr->sllc_sap); addr->sllc_sap);
skb = NULL;
goto out; goto out;
} }
if (addr->sllc_xid) { if (addr->sllc_xid) {
llc_build_and_send_xid_pkt(llc->sap, skb, addr->sllc_mac, llc_build_and_send_xid_pkt(llc->sap, skb, addr->sllc_mac,
addr->sllc_sap); addr->sllc_sap);
skb = NULL;
goto out; goto out;
} }
rc = -ENOPROTOOPT; rc = -ENOPROTOOPT;
if (!(sk->sk_type == SOCK_STREAM && !addr->sllc_ua)) if (!(sk->sk_type == SOCK_STREAM && !addr->sllc_ua))
goto out; goto out;
rc = llc_ui_send_data(sk, skb, noblock); rc = llc_ui_send_data(sk, skb, noblock);
skb = NULL;
out: out:
if (rc) {
kfree_skb(skb); kfree_skb(skb);
release: if (rc)
dprintk("%s: failed sending from %02X to %02X: %d\n", dprintk("%s: failed sending from %02X to %02X: %d\n",
__func__, llc->laddr.lsap, llc->daddr.lsap, rc); __func__, llc->laddr.lsap, llc->daddr.lsap, rc);
}
release_sock(sk); release_sock(sk);
return rc ? : copied; return rc ? : copied;
} }
......
...@@ -372,6 +372,7 @@ int llc_conn_ac_send_i_cmd_p_set_1(struct sock *sk, struct sk_buff *skb) ...@@ -372,6 +372,7 @@ int llc_conn_ac_send_i_cmd_p_set_1(struct sock *sk, struct sk_buff *skb)
llc_pdu_init_as_i_cmd(skb, 1, llc->vS, llc->vR); llc_pdu_init_as_i_cmd(skb, 1, llc->vS, llc->vR);
rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
if (likely(!rc)) { if (likely(!rc)) {
skb_get(skb);
llc_conn_send_pdu(sk, skb); llc_conn_send_pdu(sk, skb);
llc_conn_ac_inc_vs_by_1(sk, skb); llc_conn_ac_inc_vs_by_1(sk, skb);
} }
...@@ -389,7 +390,8 @@ static int llc_conn_ac_send_i_cmd_p_set_0(struct sock *sk, struct sk_buff *skb) ...@@ -389,7 +390,8 @@ static int llc_conn_ac_send_i_cmd_p_set_0(struct sock *sk, struct sk_buff *skb)
llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
if (likely(!rc)) { if (likely(!rc)) {
rc = llc_conn_send_pdu(sk, skb); skb_get(skb);
llc_conn_send_pdu(sk, skb);
llc_conn_ac_inc_vs_by_1(sk, skb); llc_conn_ac_inc_vs_by_1(sk, skb);
} }
return rc; return rc;
...@@ -406,6 +408,7 @@ int llc_conn_ac_send_i_xxx_x_set_0(struct sock *sk, struct sk_buff *skb) ...@@ -406,6 +408,7 @@ int llc_conn_ac_send_i_xxx_x_set_0(struct sock *sk, struct sk_buff *skb)
llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
if (likely(!rc)) { if (likely(!rc)) {
skb_get(skb);
llc_conn_send_pdu(sk, skb); llc_conn_send_pdu(sk, skb);
llc_conn_ac_inc_vs_by_1(sk, skb); llc_conn_ac_inc_vs_by_1(sk, skb);
} }
...@@ -916,7 +919,8 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk, ...@@ -916,7 +919,8 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk,
llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR); llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR);
rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
if (likely(!rc)) { if (likely(!rc)) {
rc = llc_conn_send_pdu(sk, skb); skb_get(skb);
llc_conn_send_pdu(sk, skb);
llc_conn_ac_inc_vs_by_1(sk, skb); llc_conn_ac_inc_vs_by_1(sk, skb);
} }
return rc; return rc;
......
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
#endif #endif
static int llc_find_offset(int state, int ev_type); static int llc_find_offset(int state, int ev_type);
static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb); static void llc_conn_send_pdus(struct sock *sk);
static int llc_conn_service(struct sock *sk, struct sk_buff *skb); static int llc_conn_service(struct sock *sk, struct sk_buff *skb);
static int llc_exec_conn_trans_actions(struct sock *sk, static int llc_exec_conn_trans_actions(struct sock *sk,
struct llc_conn_state_trans *trans, struct llc_conn_state_trans *trans,
...@@ -55,6 +55,8 @@ int sysctl_llc2_busy_timeout = LLC2_BUSY_TIME * HZ; ...@@ -55,6 +55,8 @@ int sysctl_llc2_busy_timeout = LLC2_BUSY_TIME * HZ;
* (executing it's actions and changing state), upper layer will be * (executing it's actions and changing state), upper layer will be
* indicated or confirmed, if needed. Returns 0 for success, 1 for * indicated or confirmed, if needed. Returns 0 for success, 1 for
* failure. The socket lock has to be held before calling this function. * failure. The socket lock has to be held before calling this function.
*
* This function always consumes a reference to the skb.
*/ */
int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
{ {
...@@ -62,12 +64,6 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) ...@@ -62,12 +64,6 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
struct llc_sock *llc = llc_sk(skb->sk); struct llc_sock *llc = llc_sk(skb->sk);
struct llc_conn_state_ev *ev = llc_conn_ev(skb); struct llc_conn_state_ev *ev = llc_conn_ev(skb);
/*
* We have to hold the skb, because llc_conn_service will kfree it in
* the sending path and we need to look at the skb->cb, where we encode
* llc_conn_state_ev.
*/
skb_get(skb);
ev->ind_prim = ev->cfm_prim = 0; ev->ind_prim = ev->cfm_prim = 0;
/* /*
* Send event to state machine * Send event to state machine
...@@ -75,21 +71,12 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) ...@@ -75,21 +71,12 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
rc = llc_conn_service(skb->sk, skb); rc = llc_conn_service(skb->sk, skb);
if (unlikely(rc != 0)) { if (unlikely(rc != 0)) {
printk(KERN_ERR "%s: llc_conn_service failed\n", __func__); printk(KERN_ERR "%s: llc_conn_service failed\n", __func__);
goto out_kfree_skb;
}
if (unlikely(!ev->ind_prim && !ev->cfm_prim)) {
/* indicate or confirm not required */
if (!skb->next)
goto out_kfree_skb;
goto out_skb_put; goto out_skb_put;
} }
if (unlikely(ev->ind_prim && ev->cfm_prim)) /* Paranoia */
skb_get(skb);
switch (ev->ind_prim) { switch (ev->ind_prim) {
case LLC_DATA_PRIM: case LLC_DATA_PRIM:
skb_get(skb);
llc_save_primitive(sk, skb, LLC_DATA_PRIM); llc_save_primitive(sk, skb, LLC_DATA_PRIM);
if (unlikely(sock_queue_rcv_skb(sk, skb))) { if (unlikely(sock_queue_rcv_skb(sk, skb))) {
/* /*
...@@ -106,6 +93,7 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) ...@@ -106,6 +93,7 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
* skb->sk pointing to the newly created struct sock in * skb->sk pointing to the newly created struct sock in
* llc_conn_handler. -acme * llc_conn_handler. -acme
*/ */
skb_get(skb);
skb_queue_tail(&sk->sk_receive_queue, skb); skb_queue_tail(&sk->sk_receive_queue, skb);
sk->sk_state_change(sk); sk->sk_state_change(sk);
break; break;
...@@ -121,7 +109,6 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) ...@@ -121,7 +109,6 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
sk->sk_state_change(sk); sk->sk_state_change(sk);
} }
} }
kfree_skb(skb);
sock_put(sk); sock_put(sk);
break; break;
case LLC_RESET_PRIM: case LLC_RESET_PRIM:
...@@ -130,14 +117,11 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) ...@@ -130,14 +117,11 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
* RESET is not being notified to upper layers for now * RESET is not being notified to upper layers for now
*/ */
printk(KERN_INFO "%s: received a reset ind!\n", __func__); printk(KERN_INFO "%s: received a reset ind!\n", __func__);
kfree_skb(skb);
break; break;
default: default:
if (ev->ind_prim) { if (ev->ind_prim)
printk(KERN_INFO "%s: received unknown %d prim!\n", printk(KERN_INFO "%s: received unknown %d prim!\n",
__func__, ev->ind_prim); __func__, ev->ind_prim);
kfree_skb(skb);
}
/* No indication */ /* No indication */
break; break;
} }
...@@ -179,25 +163,22 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) ...@@ -179,25 +163,22 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
printk(KERN_INFO "%s: received a reset conf!\n", __func__); printk(KERN_INFO "%s: received a reset conf!\n", __func__);
break; break;
default: default:
if (ev->cfm_prim) { if (ev->cfm_prim)
printk(KERN_INFO "%s: received unknown %d prim!\n", printk(KERN_INFO "%s: received unknown %d prim!\n",
__func__, ev->cfm_prim); __func__, ev->cfm_prim);
/* No confirmation */
break; break;
} }
goto out_skb_put; /* No confirmation */
}
out_kfree_skb:
kfree_skb(skb);
out_skb_put: out_skb_put:
kfree_skb(skb); kfree_skb(skb);
return rc; return rc;
} }
int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
{ {
/* queue PDU to send to MAC layer */ /* queue PDU to send to MAC layer */
skb_queue_tail(&sk->sk_write_queue, skb); skb_queue_tail(&sk->sk_write_queue, skb);
return llc_conn_send_pdus(sk, skb); llc_conn_send_pdus(sk);
} }
/** /**
...@@ -255,7 +236,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit) ...@@ -255,7 +236,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit)
if (howmany_resend > 0) if (howmany_resend > 0)
llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
/* any PDUs to re-send are queued up; start sending to MAC */ /* any PDUs to re-send are queued up; start sending to MAC */
llc_conn_send_pdus(sk, NULL); llc_conn_send_pdus(sk);
out:; out:;
} }
...@@ -296,7 +277,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit) ...@@ -296,7 +277,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit)
if (howmany_resend > 0) if (howmany_resend > 0)
llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
/* any PDUs to re-send are queued up; start sending to MAC */ /* any PDUs to re-send are queued up; start sending to MAC */
llc_conn_send_pdus(sk, NULL); llc_conn_send_pdus(sk);
out:; out:;
} }
...@@ -340,16 +321,12 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16 *how_many_unacked) ...@@ -340,16 +321,12 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16 *how_many_unacked)
/** /**
* llc_conn_send_pdus - Sends queued PDUs * llc_conn_send_pdus - Sends queued PDUs
* @sk: active connection * @sk: active connection
* @hold_skb: the skb held by caller, or NULL if does not care
* *
* Sends queued pdus to MAC layer for transmission. When @hold_skb is * Sends queued pdus to MAC layer for transmission.
* NULL, always return 0. Otherwise, return 0 if @hold_skb is sent
* successfully, or 1 for failure.
*/ */
static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb) static void llc_conn_send_pdus(struct sock *sk)
{ {
struct sk_buff *skb; struct sk_buff *skb;
int ret = 0;
while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) { while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) {
struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb); struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
...@@ -361,20 +338,10 @@ static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb) ...@@ -361,20 +338,10 @@ static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb)
skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb); skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb);
if (!skb2) if (!skb2)
break; break;
dev_queue_xmit(skb2); skb = skb2;
} else {
bool is_target = skb == hold_skb;
int rc;
if (is_target)
skb_get(skb);
rc = dev_queue_xmit(skb);
if (is_target)
ret = rc;
} }
dev_queue_xmit(skb);
} }
return ret;
} }
/** /**
......
...@@ -38,6 +38,8 @@ ...@@ -38,6 +38,8 @@
* closed and -EBUSY when sending data is not permitted in this state or * closed and -EBUSY when sending data is not permitted in this state or
* LLC has send an I pdu with p bit set to 1 and is waiting for it's * LLC has send an I pdu with p bit set to 1 and is waiting for it's
* response. * response.
*
* This function always consumes a reference to the skb.
*/ */
int llc_build_and_send_pkt(struct sock *sk, struct sk_buff *skb) int llc_build_and_send_pkt(struct sock *sk, struct sk_buff *skb)
{ {
...@@ -46,20 +48,22 @@ int llc_build_and_send_pkt(struct sock *sk, struct sk_buff *skb) ...@@ -46,20 +48,22 @@ int llc_build_and_send_pkt(struct sock *sk, struct sk_buff *skb)
struct llc_sock *llc = llc_sk(sk); struct llc_sock *llc = llc_sk(sk);
if (unlikely(llc->state == LLC_CONN_STATE_ADM)) if (unlikely(llc->state == LLC_CONN_STATE_ADM))
goto out; goto out_free;
rc = -EBUSY; rc = -EBUSY;
if (unlikely(llc_data_accept_state(llc->state) || /* data_conn_refuse */ if (unlikely(llc_data_accept_state(llc->state) || /* data_conn_refuse */
llc->p_flag)) { llc->p_flag)) {
llc->failed_data_req = 1; llc->failed_data_req = 1;
goto out; goto out_free;
} }
ev = llc_conn_ev(skb); ev = llc_conn_ev(skb);
ev->type = LLC_CONN_EV_TYPE_PRIM; ev->type = LLC_CONN_EV_TYPE_PRIM;
ev->prim = LLC_DATA_PRIM; ev->prim = LLC_DATA_PRIM;
ev->prim_type = LLC_PRIM_TYPE_REQ; ev->prim_type = LLC_PRIM_TYPE_REQ;
skb->dev = llc->dev; skb->dev = llc->dev;
rc = llc_conn_state_process(sk, skb); return llc_conn_state_process(sk, skb);
out:
out_free:
kfree_skb(skb);
return rc; return rc;
} }
......
...@@ -58,8 +58,10 @@ int llc_sap_action_send_ui(struct llc_sap *sap, struct sk_buff *skb) ...@@ -58,8 +58,10 @@ int llc_sap_action_send_ui(struct llc_sap *sap, struct sk_buff *skb)
ev->daddr.lsap, LLC_PDU_CMD); ev->daddr.lsap, LLC_PDU_CMD);
llc_pdu_init_as_ui_cmd(skb); llc_pdu_init_as_ui_cmd(skb);
rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
if (likely(!rc)) if (likely(!rc)) {
skb_get(skb);
rc = dev_queue_xmit(skb); rc = dev_queue_xmit(skb);
}
return rc; return rc;
} }
...@@ -81,8 +83,10 @@ int llc_sap_action_send_xid_c(struct llc_sap *sap, struct sk_buff *skb) ...@@ -81,8 +83,10 @@ int llc_sap_action_send_xid_c(struct llc_sap *sap, struct sk_buff *skb)
ev->daddr.lsap, LLC_PDU_CMD); ev->daddr.lsap, LLC_PDU_CMD);
llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0); llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0);
rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
if (likely(!rc)) if (likely(!rc)) {
skb_get(skb);
rc = dev_queue_xmit(skb); rc = dev_queue_xmit(skb);
}
return rc; return rc;
} }
...@@ -135,8 +139,10 @@ int llc_sap_action_send_test_c(struct llc_sap *sap, struct sk_buff *skb) ...@@ -135,8 +139,10 @@ int llc_sap_action_send_test_c(struct llc_sap *sap, struct sk_buff *skb)
ev->daddr.lsap, LLC_PDU_CMD); ev->daddr.lsap, LLC_PDU_CMD);
llc_pdu_init_as_test_cmd(skb); llc_pdu_init_as_test_cmd(skb);
rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac); rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
if (likely(!rc)) if (likely(!rc)) {
skb_get(skb);
rc = dev_queue_xmit(skb); rc = dev_queue_xmit(skb);
}
return rc; return rc;
} }
......
...@@ -197,29 +197,22 @@ static int llc_sap_next_state(struct llc_sap *sap, struct sk_buff *skb) ...@@ -197,29 +197,22 @@ static int llc_sap_next_state(struct llc_sap *sap, struct sk_buff *skb)
* After executing actions of the event, upper layer will be indicated * After executing actions of the event, upper layer will be indicated
* if needed(on receiving an UI frame). sk can be null for the * if needed(on receiving an UI frame). sk can be null for the
* datalink_proto case. * datalink_proto case.
*
* This function always consumes a reference to the skb.
*/ */
static void llc_sap_state_process(struct llc_sap *sap, struct sk_buff *skb) static void llc_sap_state_process(struct llc_sap *sap, struct sk_buff *skb)
{ {
struct llc_sap_state_ev *ev = llc_sap_ev(skb); struct llc_sap_state_ev *ev = llc_sap_ev(skb);
/*
* We have to hold the skb, because llc_sap_next_state
* will kfree it in the sending path and we need to
* look at the skb->cb, where we encode llc_sap_state_ev.
*/
skb_get(skb);
ev->ind_cfm_flag = 0; ev->ind_cfm_flag = 0;
llc_sap_next_state(sap, skb); llc_sap_next_state(sap, skb);
if (ev->ind_cfm_flag == LLC_IND) {
if (skb->sk->sk_state == TCP_LISTEN) if (ev->ind_cfm_flag == LLC_IND && skb->sk->sk_state != TCP_LISTEN) {
kfree_skb(skb);
else {
llc_save_primitive(skb->sk, skb, ev->prim); llc_save_primitive(skb->sk, skb, ev->prim);
/* queue skb to the user. */ /* queue skb to the user. */
if (sock_queue_rcv_skb(skb->sk, skb)) if (sock_queue_rcv_skb(skb->sk, skb) == 0)
kfree_skb(skb); return;
}
} }
kfree_skb(skb); kfree_skb(skb);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment