Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Mar 2021 17:02:30 GMT
From:      Vincenzo Maffione <vmaffione@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 4019787f50a2 - stable/11 - netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
Message-ID:  <202103181702.12IH2UZe025089@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/11 has been updated by vmaffione:

URL: https://cgit.FreeBSD.org/src/commit/?id=4019787f50a2826e9a4bba6e70868467b3d6081a

commit 4019787f50a2826e9a4bba6e70868467b3d6081a
Author:     Vincenzo Maffione <vmaffione@FreeBSD.org>
AuthorDate: 2021-03-15 17:39:18 +0000
Commit:     Vincenzo Maffione <vmaffione@FreeBSD.org>
CommitDate: 2021-03-18 16:54:01 +0000

    netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
    
    The netmap_ioctl() function has a reference counting bug in case of
    NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
    the function does not decrease the refcount of "nmd", which is
    increased by netmap_mem_find(), causing a refcount leak.
    
    Reported by:    Xiyu Yang <sherllyyang00@gmail.com>
    Submitted by:   Carl Smith <carl.smith@alliedtelesis.co.nz>
    MFC after: 3 days
    PR:     254311
---
 sys/dev/netmap/netmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c
index 9d10aa4d6828..420287516aa6 100644
--- a/sys/dev/netmap/netmap.c
+++ b/sys/dev/netmap/netmap.c
@@ -2596,6 +2596,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 		case NETMAP_REQ_PORT_INFO_GET: {
 			struct nmreq_port_info_get *req =
 				(struct nmreq_port_info_get *)(uintptr_t)hdr->nr_body;
+			int nmd_ref = 0;
 
 			NMG_LOCK();
 			do {
@@ -2635,6 +2636,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 						error = EINVAL;
 						break;
 					}
+					nmd_ref = 1;
 				}
 
 				error = netmap_mem_get_info(nmd, &req->nr_memsize, &memflags,
@@ -2650,6 +2652,8 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data,
 				req->nr_tx_slots = na->num_tx_desc;
 			} while (0);
 			netmap_unget_na(na, ifp);
+			if (nmd_ref)
+				netmap_mem_put(nmd);
 			NMG_UNLOCK();
 			break;
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103181702.12IH2UZe025089>