Date: Tue, 30 Jun 2015 17:19:59 +0000 (UTC) From: Navdeep Parhar <np@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r284961 - in head/sys: kern netinet sys Message-ID: <201506301719.t5UHJxlE011522@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: np Date: Tue Jun 30 17:19:58 2015 New Revision: 284961 URL: https://svnweb.freebsd.org/changeset/base/284961 Log: Fix leak in tcp_lro_rx. Simply clearing M_PKTHDR isn't enough, any tags hanging off the header need to be freed too. Differential Revision: https://reviews.freebsd.org/D2708 Reviewed by: ae@, hiren@ Modified: head/sys/kern/uipc_mbuf.c head/sys/netinet/tcp_lro.c head/sys/sys/mbuf.h Modified: head/sys/kern/uipc_mbuf.c ============================================================================== --- head/sys/kern/uipc_mbuf.c Tue Jun 30 17:09:41 2015 (r284960) +++ head/sys/kern/uipc_mbuf.c Tue Jun 30 17:19:58 2015 (r284961) @@ -420,6 +420,17 @@ mb_dupcl(struct mbuf *n, struct mbuf *m) n->m_flags |= m->m_flags & M_RDONLY; } +void +m_demote_pkthdr(struct mbuf *m) +{ + + M_ASSERTPKTHDR(m); + + m_tag_delete_chain(m, NULL); + m->m_flags &= ~M_PKTHDR; + bzero(&m->m_pkthdr, sizeof(struct pkthdr)); +} + /* * Clean up mbuf (chain) from any tags and packet headers. * If "all" is set then the first mbuf in the chain will be @@ -433,11 +444,8 @@ m_demote(struct mbuf *m0, int all, int f for (m = all ? m0 : m0->m_next; m != NULL; m = m->m_next) { KASSERT(m->m_nextpkt == NULL, ("%s: m_nextpkt in m %p, m0 %p", __func__, m, m0)); - if (m->m_flags & M_PKTHDR) { - m_tag_delete_chain(m, NULL); - m->m_flags &= ~M_PKTHDR; - bzero(&m->m_pkthdr, sizeof(struct pkthdr)); - } + if (m->m_flags & M_PKTHDR) + m_demote_pkthdr(m); m->m_flags = m->m_flags & (M_EXT | M_RDONLY | M_NOFREE | flags); } } Modified: head/sys/netinet/tcp_lro.c ============================================================================== --- head/sys/netinet/tcp_lro.c Tue Jun 30 17:09:41 2015 (r284960) +++ head/sys/netinet/tcp_lro.c Tue Jun 30 17:19:58 2015 (r284961) @@ -550,7 +550,7 @@ tcp_lro_rx(struct lro_ctrl *lc, struct m * append new segment to existing mbuf chain. */ m_adj(m, m->m_pkthdr.len - tcp_data_len); - m->m_flags &= ~M_PKTHDR; + m_demote_pkthdr(m); le->m_tail->m_next = m; le->m_tail = m_last(m); Modified: head/sys/sys/mbuf.h ============================================================================== --- head/sys/sys/mbuf.h Tue Jun 30 17:09:41 2015 (r284960) +++ head/sys/sys/mbuf.h Tue Jun 30 17:19:58 2015 (r284961) @@ -959,6 +959,7 @@ struct mbuf *m_copypacket(struct mbuf *, void m_copy_pkthdr(struct mbuf *, struct mbuf *); struct mbuf *m_copyup(struct mbuf *, int, int); struct mbuf *m_defrag(struct mbuf *, int); +void m_demote_pkthdr(struct mbuf *); void m_demote(struct mbuf *, int, int); struct mbuf *m_devget(char *, int, int, struct ifnet *, void (*)(char *, caddr_t, u_int));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506301719.t5UHJxlE011522>