IPoIB: Fix skb leak when freeing neighbour
authorMichael S. Tsirkin <mst@mellanox.co.il>
Thu, 16 Nov 2006 12:16:47 +0000 (14:16 +0200)
committerRoland Dreier <rolandd@cisco.com>
Wed, 29 Nov 2006 23:33:09 +0000 (15:33 -0800)
ipoib_neigh_free() is sometimes called while neighbour is still alive,
so it might still have queued skbs.  Fix skb leak in this case.

Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
drivers/infiniband/ulp/ipoib/ipoib.h
drivers/infiniband/ulp/ipoib/ipoib_main.c
drivers/infiniband/ulp/ipoib/ipoib_multicast.c

index 0b8a79d..f2b6185 100644 (file)
@@ -233,7 +233,7 @@ static inline struct ipoib_neigh **to_ipoib_neigh(struct neighbour *neigh)
 }
 
 struct ipoib_neigh *ipoib_neigh_alloc(struct neighbour *neigh);
-void ipoib_neigh_free(struct ipoib_neigh *neigh);
+void ipoib_neigh_free(struct net_device *dev, struct ipoib_neigh *neigh);
 
 extern struct workqueue_struct *ipoib_workqueue;
 
index 85522da..5ba3154 100644 (file)
@@ -264,7 +264,7 @@ static void path_free(struct net_device *dev, struct ipoib_path *path)
                if (neigh->ah)
                        ipoib_put_ah(neigh->ah);
 
-               ipoib_neigh_free(neigh);
+               ipoib_neigh_free(dev, neigh);
        }
 
        spin_unlock_irqrestore(&priv->lock, flags);
@@ -525,10 +525,11 @@ static void neigh_add_path(struct sk_buff *skb, struct net_device *dev)
                ipoib_send(dev, skb, path->ah, IPOIB_QPN(skb->dst->neighbour->ha));
        } else {
                neigh->ah  = NULL;
-               __skb_queue_tail(&neigh->queue, skb);
 
                if (!path->query && path_rec_start(dev, path))
                        goto err_list;
+
+               __skb_queue_tail(&neigh->queue, skb);
        }
 
        spin_unlock(&priv->lock);
@@ -538,7 +539,7 @@ err_list:
        list_del(&neigh->list);
 
 err_path:
-       ipoib_neigh_free(neigh);
+       ipoib_neigh_free(dev, neigh);
        ++priv->stats.tx_dropped;
        dev_kfree_skb_any(skb);
 
@@ -655,7 +656,7 @@ static int ipoib_start_xmit(struct sk_buff *skb, struct net_device *dev)
                                 */
                                ipoib_put_ah(neigh->ah);
                                list_del(&neigh->list);
-                               ipoib_neigh_free(neigh);
+                               ipoib_neigh_free(dev, neigh);
                                spin_unlock(&priv->lock);
                                ipoib_path_lookup(skb, dev);
                                goto out;
@@ -786,7 +787,7 @@ static void ipoib_neigh_destructor(struct neighbour *n)
                if (neigh->ah)
                        ah = neigh->ah;
                list_del(&neigh->list);
-               ipoib_neigh_free(neigh);
+               ipoib_neigh_free(n->dev, neigh);
        }
 
        spin_unlock_irqrestore(&priv->lock, flags);
@@ -809,9 +810,15 @@ struct ipoib_neigh *ipoib_neigh_alloc(struct neighbour *neighbour)
        return neigh;
 }
 
-void ipoib_neigh_free(struct ipoib_neigh *neigh)
+void ipoib_neigh_free(struct net_device *dev, struct ipoib_neigh *neigh)
 {
+       struct ipoib_dev_priv *priv = netdev_priv(dev);
+       struct sk_buff *skb;
        *to_ipoib_neigh(neigh->neighbour) = NULL;
+       while ((skb = __skb_dequeue(&neigh->queue))) {
+               ++priv->stats.tx_dropped;
+               dev_kfree_skb_any(skb);
+       }
        kfree(neigh);
 }
 
index 3faa182..d282d65 100644 (file)
@@ -114,7 +114,7 @@ static void ipoib_mcast_free(struct ipoib_mcast *mcast)
                 */
                if (neigh->ah)
                        ipoib_put_ah(neigh->ah);
-               ipoib_neigh_free(neigh);
+               ipoib_neigh_free(dev, neigh);
        }
 
        spin_unlock_irqrestore(&priv->lock, flags);