diff options
author | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2021-03-15 17:39:18 +0000 |
---|---|---|
committer | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2021-03-23 22:04:29 +0000 |
commit | f7e3976ed0336b338ae83cfaef68ef5094532040 (patch) | |
tree | 08353dd457241972d7b63883f901ca1b785ba0f2 | |
parent | a9c7d90862ef1214f5d9c4455d4519eec3a34570 (diff) | |
download | src-f7e3976ed0336b338ae83cfaef68ef5094532040.tar.gz src-f7e3976ed0336b338ae83cfaef68ef5094532040.zip |
netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET
The netmap_ioctl() function has a reference counting bug in case of
NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
the function does not decrease the refcount of "nmd", which is
increased by netmap_mem_find(), causing a refcount leak.
Approved by: re (gjb)
Reported by: Xiyu Yang <sherllyyang00@gmail.com>
Submitted by: Carl Smith <carl.smith@alliedtelesis.co.nz>
MFC after: 3 days
PR: 254311
(cherry picked from commit 0ab5902e8ad93d0a9341dcce386b6c571ee02173)
(cherry picked from commit 120a4bd4e9d05147a9774a2ca4b4eff48e062442)
-rw-r--r-- | sys/dev/netmap/netmap.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index b711e0d2497e..0bc723f6963d 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -2646,6 +2646,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data, case NETMAP_REQ_PORT_INFO_GET: { struct nmreq_port_info_get *req = (struct nmreq_port_info_get *)(uintptr_t)hdr->nr_body; + int nmd_ref = 0; NMG_LOCK(); do { @@ -2687,6 +2688,7 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data, error = EINVAL; break; } + nmd_ref = 1; } error = netmap_mem_get_info(nmd, &req->nr_memsize, &memflags, @@ -2704,6 +2706,8 @@ netmap_ioctl(struct netmap_priv_d *priv, u_long cmd, caddr_t data, req->nr_host_rx_rings = na->num_host_rx_rings; } while (0); netmap_unget_na(na, ifp); + if (nmd_ref) + netmap_mem_put(nmd); NMG_UNLOCK(); break; } |