tap: free skb if flags error

[ Upstream commit 61d7853784 ]

tap_recvmsg() supports accepting skb by msg_control after
commit 3b4ba04acc ("tap: support receiving skb from msg_control"),
the skb if presented should be freed within the function, otherwise
it would be leaked.

Signed-off-by: Wei Xu <wexu@redhat.com>
Reported-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Wei Xu 2017-12-01 05:10:38 -05:00 committed by Greg Kroah-Hartman
parent 8067098c04
commit 616bada6fd

View file

@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q,
DEFINE_WAIT(wait);
ssize_t ret = 0;
if (!iov_iter_count(to))
if (!iov_iter_count(to)) {
if (skb)
kfree_skb(skb);
return 0;
}
if (skb)
goto put;
@ -1154,11 +1157,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m,
size_t total_len, int flags)
{
struct tap_queue *q = container_of(sock, struct tap_queue, sock);
struct sk_buff *skb = m->msg_control;
int ret;
if (flags & ~(MSG_DONTWAIT|MSG_TRUNC))
if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) {
if (skb)
kfree_skb(skb);
return -EINVAL;
ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT,
m->msg_control);
}
ret = tap_do_read(q, &m->msg_iter, flags & MSG_DONTWAIT, skb);
if (ret > total_len) {
m->msg_flags |= MSG_TRUNC;
ret = flags & MSG_TRUNC ? ret : total_len;