diff options
author | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2021-03-15 17:39:18 +0000 |
---|---|---|
committer | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2021-03-18 16:54:01 +0000 |
commit | 4019787f50a2826e9a4bba6e70868467b3d6081a (patch) | |
tree | 11852920760d768074a90123bad985a106e395aa | |
parent | 3a5074327da0ceba770aef60e41e91dc7d054019 (diff) | |
download | src-4019787f50a2826e9a4bba6e70868467b3d6081a.tar.gz src-4019787f50a2826e9a4bba6e70868467b3d6081a.zip |
netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
The netmap_ioctl() function has a reference counting bug in case of
NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
the function does not decrease the refcount of "nmd", which is
increased by netmap_mem_find(), causing a refcount leak.
Reported by: Xiyu Yang <sherllyyang00@gmail.com>
Submitted by: Carl Smith <carl.smith@alliedtelesis.co.nz>
MFC after: 3 days
PR: 254311
-rw-r--r-- | sys/dev/netmap/netmap.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index 9d10aa4d6828..420287516aa6 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -2596,6 +2596,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data, case NETMAP_REQ_PORT_INFO_GET: { struct nmreq_port_info_get *req = (struct nmreq_port_info_get *)(uintptr_t)hdr->nr_body; + int nmd_ref = 0; NMG_LOCK(); do { @@ -2635,6 +2636,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data, error = EINVAL; break; } + nmd_ref = 1; } error = netmap_mem_get_info(nmd, &req->nr_memsize, &memflags, @@ -2650,6 +2652,8 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data, req->nr_tx_slots = na->num_tx_desc; } while (0); netmap_unget_na(na, ifp); + if (nmd_ref) + netmap_mem_put(nmd); NMG_UNLOCK(); break; } |