IPoIB: Fix skb leak when freeing neighbour
ipoib_neigh_free() is sometimes called while neighbour is still alive,
so it might still have queued skbs. Fix skb leak in this case.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h
index 0b8a79d..f2b6185 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -233,7 +233,7 @@
}
struct ipoib_neigh *ipoib_neigh_alloc(struct neighbour *neigh);
-void ipoib_neigh_free(struct ipoib_neigh *neigh);
+void ipoib_neigh_free(struct net_device *dev, struct ipoib_neigh *neigh);
extern struct workqueue_struct *ipoib_workqueue;
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 85522da..5ba3154 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -264,7 +264,7 @@
if (neigh->ah)
ipoib_put_ah(neigh->ah);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
}
spin_unlock_irqrestore(&priv->lock, flags);
@@ -525,10 +525,11 @@
ipoib_send(dev, skb, path->ah, IPOIB_QPN(skb->dst->neighbour->ha));
} else {
neigh->ah = NULL;
- __skb_queue_tail(&neigh->queue, skb);
if (!path->query && path_rec_start(dev, path))
goto err_list;
+
+ __skb_queue_tail(&neigh->queue, skb);
}
spin_unlock(&priv->lock);
@@ -538,7 +539,7 @@
list_del(&neigh->list);
err_path:
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
++priv->stats.tx_dropped;
dev_kfree_skb_any(skb);
@@ -655,7 +656,7 @@
*/
ipoib_put_ah(neigh->ah);
list_del(&neigh->list);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
spin_unlock(&priv->lock);
ipoib_path_lookup(skb, dev);
goto out;
@@ -786,7 +787,7 @@
if (neigh->ah)
ah = neigh->ah;
list_del(&neigh->list);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(n->dev, neigh);
}
spin_unlock_irqrestore(&priv->lock, flags);
@@ -809,9 +810,15 @@
return neigh;
}
-void ipoib_neigh_free(struct ipoib_neigh *neigh)
+void ipoib_neigh_free(struct net_device *dev, struct ipoib_neigh *neigh)
{
+ struct ipoib_dev_priv *priv = netdev_priv(dev);
+ struct sk_buff *skb;
*to_ipoib_neigh(neigh->neighbour) = NULL;
+ while ((skb = __skb_dequeue(&neigh->queue))) {
+ ++priv->stats.tx_dropped;
+ dev_kfree_skb_any(skb);
+ }
kfree(neigh);
}
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index 3faa182..d282d65 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -114,7 +114,7 @@
*/
if (neigh->ah)
ipoib_put_ah(neigh->ah);
- ipoib_neigh_free(neigh);
+ ipoib_neigh_free(dev, neigh);
}
spin_unlock_irqrestore(&priv->lock, flags);