On Thu, 2017-06-01 at 08:58 -0700, Eric Dumazet wrote:
> On Thu, 2017-06-01 at 12:39 +0200, Paolo Abeni wrote:
> > On Wed, 2017-05-31 at 10:00 -0700, Eric Dumazet wrote:
> > > On Mon, 2017-05-29 at 17:27 +0200, Paolo Abeni wrote:
> > > > Since UDP no more uses sk->destructor, we can clear completely
> > > > the skb head state before enqueuing.
> > >
> > > ...
> > >
> > > > @@ -1739,6 +1740,9 @@ static int __udp_queue_rcv_skb(struct sock *sk,
> > > > struct sk_buff *skb)
> > > > sk_mark_napi_id_once(sk, skb);
> > > > }
> > > >
> > > > + /* drop all pending head states; dst, nf and sk are dropped by
> > > > caller */
> > > > + secpath_reset(skb);
> > > > +
> > >
> > > I wonder if using skb_release_head_state() would be more appropriate ?
> > >
> > > Surely more descriptive and probably not more expensive since all
> > > cache lines should be already hot at this point.
> >
> > Thank you for reviewing this.
> >
> > I would prefer not adding more code to the core, but I think we would
> > need something new, like:
> >
> > skb_reset_head_state()
> > {
> > skb_dst_drop(skb);
> > secpath_reset(skb);
> > nf_reset(skb);
> > skb_orphan(skb);
> > }
> >
> > because elsewhere the skb could be in inconsistent state: skb->sp !=
> > NULL but with its refcount is already decremented. WDYT?
>
> I do not believe skb->sk is set anymore in UDP receive path.
>
> If early demux sets skb->sk for a moment, skb_steal_sock() would set
> skb->sk back to NULL
I'm sorry, I do not follow. I'm concerned about the secpath field (skb-
>sp), which is the only one that can be not NULL in
__udp_queue_rcv_skb().
If the secpath is not NULL, calling there secpath_reset() (or the to-
be-introduced skb_reset_head_state()), we will properly release it and
we will clear the field, too.
Calling skb_release_head_state() in the same scenario, we release the
secpath, but we don't clear it. So if the packet is later dropped we
will get a double free, unless we add and use a specialized a
free_stateless_skb(), too.
Paolo
