Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Mar 2021 16:50:05 GMT
From:      Vincenzo Maffione <vmaffione@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 120a4bd4e9d0 - stable/13 - netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
Message-ID:  <202103181650.12IGo5WZ001299@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by vmaffione:

URL: https://cgit.FreeBSD.org/src/commit/?id=120a4bd4e9d05147a9774a2ca4b4eff48e062442

commit 120a4bd4e9d05147a9774a2ca4b4eff48e062442
Author:     Vincenzo Maffione <vmaffione@FreeBSD.org>
AuthorDate: 2021-03-15 17:39:18 +0000
Commit:     Vincenzo Maffione <vmaffione@FreeBSD.org>
CommitDate: 2021-03-18 16:40:23 +0000

    netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
    
    The netmap_ioctl() function has a reference counting bug in case of
    NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
    the function does not decrease the refcount of "nmd", which is
    increased by netmap_mem_find(), causing a refcount leak.
    
    Reported by:    Xiyu Yang <sherllyyang00@gmail.com>
    Submitted by:   Carl Smith <carl.smith@alliedtelesis.co.nz>
    MFC after: 3 days
    PR:     254311
    
    (cherry picked from commit 0ab5902e8ad93d0a9341dcce386b6c571ee02173)
---
 sys/dev/netmap/netmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c
index f37900712046..f9698096b47a 100644
--- a/sys/dev/netmap/netmap.c
+++ b/sys/dev/netmap/netmap.c
@@ -2646,6 +2646,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 		case NETMAP_REQ_PORT_INFO_GET: {
 			struct nmreq_port_info_get *req =
 				(struct nmreq_port_info_get *)(uintptr_t)hdr->nr_body;
+			int nmd_ref = 0;
 
 			NMG_LOCK();
 			do {
@@ -2687,6 +2688,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 						error = EINVAL;
 						break;
 					}
+					nmd_ref = 1;
 				}
 
 				error = netmap_mem_get_info(nmd, &req->nr_memsize, &memflags,
@@ -2704,6 +2706,8 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 				req->nr_host_rx_rings = na->num_host_rx_rings;
 			} while (0);
 			netmap_unget_na(na, ifp);
+			if (nmd_ref)
+				netmap_mem_put(nmd);
 			NMG_UNLOCK();
 			break;
 		}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103181650.12IGo5WZ001299>