Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Mar 2021 16:57:15 GMT
From:      Vincenzo Maffione <vmaffione@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 09b2bde74654 - stable/12 - netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
Message-ID:  <202103181657.12IGvFYV012038@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/12 has been updated by vmaffione:

URL: https://cgit.FreeBSD.org/src/commit/?id=09b2bde74654a16c56ade52411c464ef79de8cd4

commit 09b2bde74654a16c56ade52411c464ef79de8cd4
Author:     Vincenzo Maffione <vmaffione@FreeBSD.org>
AuthorDate: 2021-03-15 17:39:18 +0000
Commit:     Vincenzo Maffione <vmaffione@FreeBSD.org>
CommitDate: 2021-03-18 16:41:17 +0000

    netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
    
    The netmap_ioctl() function has a reference counting bug in case of
    NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
    the function does not decrease the refcount of "nmd", which is
    increased by netmap_mem_find(), causing a refcount leak.
    
    Reported by:    Xiyu Yang <sherllyyang00@gmail.com>
    Submitted by:   Carl Smith <carl.smith@alliedtelesis.co.nz>
    MFC after: 3 days
    PR:     254311
    
    (cherry picked from commit 0ab5902e8ad93d0a9341dcce386b6c571ee02173)
---
 sys/dev/netmap/netmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c
index ca5af6ab5217..6532856b21a1 100644
--- a/sys/dev/netmap/netmap.c
+++ b/sys/dev/netmap/netmap.c
@@ -2636,6 +2636,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 		case NETMAP_REQ_PORT_INFO_GET: {
 			struct nmreq_port_info_get *req =
 				(struct nmreq_port_info_get *)(uintptr_t)hdr->nr_body;
+			int nmd_ref = 0;
 
 			NMG_LOCK();
 			do {
@@ -2677,6 +2678,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 						error = EINVAL;
 						break;
 					}
+					nmd_ref = 1;
 				}
 
 				error = netmap_mem_get_info(nmd, &req->nr_memsize, &memflags,
@@ -2694,6 +2696,8 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 				req->nr_host_rx_rings = na->num_host_rx_rings;
 			} while (0);
 			netmap_unget_na(na, ifp);
+			if (nmd_ref)
+				netmap_mem_put(nmd);
 			NMG_UNLOCK();
 			break;
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103181657.12IGvFYV012038>