mbuf leak in kern_sendit?
Sreekanth Rupavatharam
rupavath at juniper.net
Sat Jul 9 06:47:47 UTC 2016
I see in kern_sendit() function(stable/10), the control mbuf doesn’t get freed on error. E.g.,
914 if (mp->msg_name != NULL) {
915 error = mac_socket_check_connect(td->td_ucred, so,
916 mp->msg_name);
917 if (error != 0)
918 goto bad; ⇐ Here
919 }
or
933 for (i = 0; i < mp->msg_iovlen; i++, iov++) {
934 if ((auio.uio_resid += iov->iov_len) < 0) {
935 error = EINVAL;
936 goto bad; ⇐ Here
937 }
938 }
965 bad:
966 fdrop(fp, td);
967 return (error);
No free of control mbuf here either.
Actually, the only place where the mbuf gets freed is when it calls pru_sosend where it gets freed in there. Am I missing something here? E.g., tracking the call trace from sendit
sendit()
sockargs() -> control mbuf is allocated here
kern_sendit() -> it’s freed only on pru_sosend()
control not freed on error. Am I missing something?
Thanks,
-Sreekanth
More information about the freebsd-hackers
mailing list