svn commit: r297298 - in head/sys: dev/netmap kern

Navdeep Parhar np at FreeBSD.org
Sat Mar 26 23:39:54 UTC 2016 

Author: np
Date: Sat Mar 26 23:39:53 2016
New Revision: 297298
URL: https://svnweb.freebsd.org/changeset/base/297298

Log:
  Plug leak in m_unshare.
  
  m_unshare passes on the source mbuf's flags as-is to m_getcl and this
  results in a leak if the flags include M_NOFREE.  The fix is to clear
  the bits not listed in M_COPYALL before calling m_getcl.  M_RDONLY
  should probably be filtered out too but that's outside the scope of this
  fix.
  
  Add assertions in the zone_mbuf and zone_pack ctors to catch similar
  bugs.
  
  Update netmap_get_mbuf to not pass M_NOFREE to m_getcl.  It's not clear
  what the original code was trying to do but it's likely incorrect.
  Updated code is no different functionally but it avoids the newly added
  assertions.
  
  Reviewed by:	gnn@
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D5698

Modified:
  head/sys/dev/netmap/netmap_generic.c
  head/sys/kern/kern_mbuf.c
  head/sys/kern/uipc_mbuf.c

Modified: head/sys/dev/netmap/netmap_generic.c
==============================================================================
--- head/sys/dev/netmap/netmap_generic.c	Sat Mar 26 19:16:53 2016	(r297297)
+++ head/sys/dev/netmap/netmap_generic.c	Sat Mar 26 23:39:53 2016	(r297298)
@@ -129,8 +129,9 @@ static inline struct mbuf *
 netmap_get_mbuf(int len)
 {
 	struct mbuf *m;
-	m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR | M_NOFREE);
+	m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
 	if (m) {
+		m->m_flags |= M_NOFREE;	/* XXXNP: Almost certainly incorrect. */
 		m->m_ext.ext_arg1 = m->m_ext.ext_buf; // XXX save
 		m->m_ext.ext_free = (void *)netmap_default_mbuf_destructor;
 		m->m_ext.ext_type = EXT_EXTREF;

Modified: head/sys/kern/kern_mbuf.c
==============================================================================
--- head/sys/kern/kern_mbuf.c	Sat Mar 26 19:16:53 2016	(r297297)
+++ head/sys/kern/kern_mbuf.c	Sat Mar 26 23:39:53 2016	(r297298)
@@ -424,6 +424,7 @@ mb_ctor_mbuf(void *mem, int size, void *
 
 	m = (struct mbuf *)mem;
 	flags = args->flags;
+	MPASS((flags & M_NOFREE) == 0);
 
 	error = m_init(m, how, type, flags);
 
@@ -572,6 +573,7 @@ mb_ctor_pack(void *mem, int size, void *
 	args = (struct mb_args *)arg;
 	flags = args->flags;
 	type = args->type;
+	MPASS((flags & M_NOFREE) == 0);
 
 #ifdef INVARIANTS
 	trash_ctor(m->m_ext.ext_buf, MCLBYTES, arg, how);

Modified: head/sys/kern/uipc_mbuf.c
==============================================================================
--- head/sys/kern/uipc_mbuf.c	Sat Mar 26 19:16:53 2016	(r297297)
+++ head/sys/kern/uipc_mbuf.c	Sat Mar 26 23:39:53 2016	(r297298)
@@ -1670,7 +1670,7 @@ m_unshare(struct mbuf *m0, int how)
 		 * don't know how to break up the non-contiguous memory when
 		 * doing DMA.
 		 */
-		n = m_getcl(how, m->m_type, m->m_flags);
+		n = m_getcl(how, m->m_type, m->m_flags & M_COPYFLAGS);
 		if (n == NULL) {
 			m_freem(m0);
 			return (NULL);
@@ -1700,7 +1700,7 @@ m_unshare(struct mbuf *m0, int how)
 				break;
 			off += cc;
 
-			n = m_getcl(how, m->m_type, m->m_flags);
+			n = m_getcl(how, m->m_type, m->m_flags & M_COPYFLAGS);
 			if (n == NULL) {
 				m_freem(mfirst);
 				m_freem(m0);

More information about the svn-src-all mailing list