svn commit: r297298 - in head/sys: dev/netmap kern
Navdeep Parhar
np at FreeBSD.org
Sat Mar 26 23:39:54 UTC 2016
Author: np
Date: Sat Mar 26 23:39:53 2016
New Revision: 297298
URL: https://svnweb.freebsd.org/changeset/base/297298
Log:
Plug leak in m_unshare.
m_unshare passes on the source mbuf's flags as-is to m_getcl and this
results in a leak if the flags include M_NOFREE. The fix is to clear
the bits not listed in M_COPYALL before calling m_getcl. M_RDONLY
should probably be filtered out too but that's outside the scope of this
fix.
Add assertions in the zone_mbuf and zone_pack ctors to catch similar
bugs.
Update netmap_get_mbuf to not pass M_NOFREE to m_getcl. It's not clear
what the original code was trying to do but it's likely incorrect.
Updated code is no different functionally but it avoids the newly added
assertions.
Reviewed by: gnn@
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D5698
Modified:
head/sys/dev/netmap/netmap_generic.c
head/sys/kern/kern_mbuf.c
head/sys/kern/uipc_mbuf.c
Modified: head/sys/dev/netmap/netmap_generic.c
==============================================================================
--- head/sys/dev/netmap/netmap_generic.c Sat Mar 26 19:16:53 2016 (r297297)
+++ head/sys/dev/netmap/netmap_generic.c Sat Mar 26 23:39:53 2016 (r297298)
@@ -129,8 +129,9 @@ static inline struct mbuf *
netmap_get_mbuf(int len)
{
struct mbuf *m;
- m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR | M_NOFREE);
+ m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
if (m) {
+ m->m_flags |= M_NOFREE; /* XXXNP: Almost certainly incorrect. */
m->m_ext.ext_arg1 = m->m_ext.ext_buf; // XXX save
m->m_ext.ext_free = (void *)netmap_default_mbuf_destructor;
m->m_ext.ext_type = EXT_EXTREF;
Modified: head/sys/kern/kern_mbuf.c
==============================================================================
--- head/sys/kern/kern_mbuf.c Sat Mar 26 19:16:53 2016 (r297297)
+++ head/sys/kern/kern_mbuf.c Sat Mar 26 23:39:53 2016 (r297298)
@@ -424,6 +424,7 @@ mb_ctor_mbuf(void *mem, int size, void *
m = (struct mbuf *)mem;
flags = args->flags;
+ MPASS((flags & M_NOFREE) == 0);
error = m_init(m, how, type, flags);
@@ -572,6 +573,7 @@ mb_ctor_pack(void *mem, int size, void *
args = (struct mb_args *)arg;
flags = args->flags;
type = args->type;
+ MPASS((flags & M_NOFREE) == 0);
#ifdef INVARIANTS
trash_ctor(m->m_ext.ext_buf, MCLBYTES, arg, how);
Modified: head/sys/kern/uipc_mbuf.c
==============================================================================
--- head/sys/kern/uipc_mbuf.c Sat Mar 26 19:16:53 2016 (r297297)
+++ head/sys/kern/uipc_mbuf.c Sat Mar 26 23:39:53 2016 (r297298)
@@ -1670,7 +1670,7 @@ m_unshare(struct mbuf *m0, int how)
* don't know how to break up the non-contiguous memory when
* doing DMA.
*/
- n = m_getcl(how, m->m_type, m->m_flags);
+ n = m_getcl(how, m->m_type, m->m_flags & M_COPYFLAGS);
if (n == NULL) {
m_freem(m0);
return (NULL);
@@ -1700,7 +1700,7 @@ m_unshare(struct mbuf *m0, int how)
break;
off += cc;
- n = m_getcl(how, m->m_type, m->m_flags);
+ n = m_getcl(how, m->m_type, m->m_flags & M_COPYFLAGS);
if (n == NULL) {
m_freem(mfirst);
m_freem(m0);
More information about the svn-src-all
mailing list