From bb9db74fff0022edc617c2b192d9c9590975fb6e Mon Sep 17 00:00:00 2001 From: Avneesh Sachdev Date: Thu, 13 Oct 2016 03:09:22 +0000 Subject: [PATCH] Address potential memory leak and double-free in vhost_rx_handler. If a shared sk_buff was passed into vhost_rx_handler() it would clone it, and return RX_HANDLER_ANOTHER. However, it failed to tell the caller about the new sk_buff. The end result was that the new sk_buff would leak, and the old one would have its ref count decremented twice. The fix is to update the sk_buff ** passed in by the caller. Change-Id: Ifb29f245831cc7c9855c727442e5e7bd469123ed Closes-Bug: #1679929 --- linux/vhost_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/linux/vhost_dev.c b/linux/vhost_dev.c index 686cf1b0d..84ffd1b02 100644 --- a/linux/vhost_dev.c +++ b/linux/vhost_dev.c @@ -136,6 +136,7 @@ vhost_rx_handler(struct sk_buff **pskb) return RX_HANDLER_PASS; skb->dev = vdev; + *pskb = skb; (void)__sync_fetch_and_add(&vdev->stats.rx_bytes, skb->len); (void)__sync_fetch_and_add(&vdev->stats.rx_packets, 1);