git: 828df4d36d9d - main - netlink: Fix overallocation of netlink message buffers
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 24 Nov 2025 15:58:26 UTC
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=828df4d36d9d5a6ca0dcc294d65572b4a0474142
commit 828df4d36d9d5a6ca0dcc294d65572b4a0474142
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2025-11-24 15:55:05 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2025-11-24 15:55:05 +0000
netlink: Fix overallocation of netlink message buffers
Prior to commit 0c511bafdd5b309505c13c8dc7c6816686d1e103, each time
snl_realloc_msg_buffer was called, it called snl_allocz to request a
new buffer. If an existing linear buffer was used, then after the
call, the linear buffer effectively contained the old buffer contents
followed by the new buffer (so there was definitely wasted memory),
but the linear buffer state was consistent (lb->offset correctly
accounted for both copies). For example, if the initial linear buffer
was 256 bytes in size, lb->size would be 256. Using 16 bytes followed
by 32 bytes would first set lb->offset to 16, then the second realloc
would allocate 48 bytes (16 + 32) setting lb->offset to 64 (16 + 48).
Commit 0c511bafdd5b309505c13c8dc7c6816686d1e103 aimed to avoid this
memory waste by resetting the base pointer to the start of the
existing linear buffer if the new allocation was later in the same
linear buffer. This avoided some of the waste, but broke the
accounting. Using the same example above, the second realloc would
reuse the pointer at an offset of 0, but the linear buffer would still
claim that 64 bytes was allocated via lb->offset rather than the true
allocation of 48 bytes.
One approach to fix this would be to "extend" the allocation of an
existing linear buffer where a realloc would try to increase
lb->offset without setting a new base pointer so long as there was
still room remaining in the linear buffer for the new request.
However, this change takes a simpler approach. If snl_allocz()
returned an allocation from a new linear buffer, just claim the entire
linear buffer for use by the snl_writer ensuring the accounting is
correct in both the linear buffer and the snl writer. With this
approach, the initial snl_writer size would be 256 bytes for a 256
byte linear buffer and would only grow if it needs to allocate an
entirely new linear buffer.
Reviewed by: igoro
Fixes: 0c511bafdd5b ("netlink: fix snl_writer and linear_buffer re-allocation logic")
Sponsored by: AFRL, DARPA
Differential Revision: https://reviews.freebsd.org/D53697
---
sys/netlink/netlink_snl.h | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/sys/netlink/netlink_snl.h b/sys/netlink/netlink_snl.h
index 57f7e1e29d08..1e560e029718 100644
--- a/sys/netlink/netlink_snl.h
+++ b/sys/netlink/netlink_snl.h
@@ -1082,6 +1082,7 @@ snl_init_writer(struct snl_state *ss, struct snl_writer *nw)
static inline bool
snl_realloc_msg_buffer(struct snl_writer *nw, size_t sz)
{
+ void *new_base;
uint32_t new_size = nw->size * 2;
while (new_size < nw->size + sz)
@@ -1090,23 +1091,27 @@ snl_realloc_msg_buffer(struct snl_writer *nw, size_t sz)
if (nw->error)
return (false);
- if (snl_allocz(nw->ss, new_size) == NULL) {
+ new_base = snl_allocz(nw->ss, new_size);
+ if (new_base == NULL) {
nw->error = true;
return (false);
}
- nw->size = new_size;
- void *new_base = nw->ss->lb->base;
- if (new_base != nw->base) {
- memcpy(new_base, nw->base, nw->offset);
- if (nw->hdr != NULL) {
- int hdr_off = (char *)(nw->hdr) - nw->base;
+ if (new_base == nw->ss->lb->base) {
+ /* Claim the entire linear buffer. */
+ nw->size = nw->ss->lb->size;
+ nw->ss->lb->offset = nw->ss->lb->size;
+ } else
+ nw->size = new_size;
- nw->hdr = (struct nlmsghdr *)
- (void *)((char *)new_base + hdr_off);
- }
- nw->base = (char *)new_base;
+ memcpy(new_base, nw->base, nw->offset);
+ if (nw->hdr != NULL) {
+ int hdr_off = (char *)(nw->hdr) - nw->base;
+
+ nw->hdr = (struct nlmsghdr *)
+ (void *)((char *)new_base + hdr_off);
}
+ nw->base = (char *)new_base;
return (true);
}