We allocate memory for 'new_data' with kmalloc(). If we get the memory
we then try to build_skb() and if that should fail (which it can) we
do not enter 'if (likely(skb)) {' and actually use 'new_data' but
instead fall through to the 'drop:' label and end up returning from
the function without ever assigning 'new'data' to anything or freeing
it. That leaks the memory allocated to 'new_data'.
This patch fixes the memory leak by doing a kfree(new_data) in the
case where build_skb() fails (or where allocation of 'new_data' itself
fails, but in taht case it's just a harmless kfree(NULL)).
Signed-off-by: Jesper Juhl <[email protected]>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
No hardware to test, so compile tested only.
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 03f3935..7aee469 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -523,7 +523,6 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
skb = build_skb(data);
if (likely(skb)) {
-
#ifdef BNX2X_STOP_ON_ERROR
if (pad + len > fp->rx_buf_size) {
BNX2X_ERR("skb_put is about to fail... "
@@ -557,7 +556,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
return;
}
-
+ kfree(new_data);
drop:
/* drop the packet and keep the buffer in the bin */
DP(NETIF_MSG_RX_STATUS,
--
1.7.9
--
Jesper Juhl <[email protected]> http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.
Le lundi 06 février 2012 à 22:28 +0100, Jesper Juhl a écrit :
> We allocate memory for 'new_data' with kmalloc(). If we get the memory
> we then try to build_skb() and if that should fail (which it can) we
> do not enter 'if (likely(skb)) {' and actually use 'new_data' but
> instead fall through to the 'drop:' label and end up returning from
> the function without ever assigning 'new'data' to anything or freeing
> it. That leaks the memory allocated to 'new_data'.
>
> This patch fixes the memory leak by doing a kfree(new_data) in the
> case where build_skb() fails (or where allocation of 'new_data' itself
> fails, but in taht case it's just a harmless kfree(NULL)).
>
> Signed-off-by: Jesper Juhl <[email protected]>
> ---
> drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +--
> 1 files changed, 1 insertions(+), 2 deletions(-)
>
> No hardware to test, so compile tested only.
>
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index 03f3935..7aee469 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -523,7 +523,6 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
> skb = build_skb(data);
>
> if (likely(skb)) {
> -
> #ifdef BNX2X_STOP_ON_ERROR
> if (pad + len > fp->rx_buf_size) {
> BNX2X_ERR("skb_put is about to fail... "
> @@ -557,7 +556,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
>
> return;
> }
> -
> + kfree(new_data);
> drop:
> /* drop the packet and keep the buffer in the bin */
> DP(NETIF_MSG_RX_STATUS,
> --
> 1.7.9
>
>
Good catch, my bad.
Thanks
Acked-by: Eric Dumazet <[email protected]>
On Mon, 2012-02-06 at 23:53 +0100, Eric Dumazet wrote:
> Le lundi 06 février 2012 à 22:28 +0100, Jesper Juhl a écrit :
> > We allocate memory for 'new_data' with kmalloc(). If we get the memory
> > we then try to build_skb() and if that should fail (which it can) we
> > do not enter 'if (likely(skb)) {' and actually use 'new_data' but
> > instead fall through to the 'drop:' label and end up returning from
> > the function without ever assigning 'new'data' to anything or freeing
> > it. That leaks the memory allocated to 'new_data'.
> >
> > This patch fixes the memory leak by doing a kfree(new_data) in the
> > case where build_skb() fails (or where allocation of 'new_data' itself
> > fails, but in taht case it's just a harmless kfree(NULL)).
> >
> > Signed-off-by: Jesper Juhl <[email protected]>
> > ---
> > drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +--
> > 1 files changed, 1 insertions(+), 2 deletions(-)
> >
> > No hardware to test, so compile tested only.
> >
> > diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> > index 03f3935..7aee469 100644
> > --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> > +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> > @@ -523,7 +523,6 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
> > skb = build_skb(data);
> >
> > if (likely(skb)) {
> > -
> > #ifdef BNX2X_STOP_ON_ERROR
> > if (pad + len > fp->rx_buf_size) {
> > BNX2X_ERR("skb_put is about to fail... "
> > @@ -557,7 +556,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
> >
> > return;
> > }
> > -
> > + kfree(new_data);
> > drop:
> > /* drop the packet and keep the buffer in the bin */
> > DP(NETIF_MSG_RX_STATUS,
> > --
> > 1.7.9
> >
> >
>
> Good catch, my bad.
>
> Thanks
>
> Acked-by: Eric Dumazet <[email protected]>
Indeed - nice catch. Thanks Jesper.
Acked-by: Eilon Greenstein <[email protected]>
From: "Eilon Greenstein" <[email protected]>
Date: Tue, 7 Feb 2012 08:55:01 +0200
> On Mon, 2012-02-06 at 23:53 +0100, Eric Dumazet wrote:
>> Le lundi 06 f?vrier 2012 ? 22:28 +0100, Jesper Juhl a ?crit :
>> > We allocate memory for 'new_data' with kmalloc(). If we get the memory
>> > we then try to build_skb() and if that should fail (which it can) we
>> > do not enter 'if (likely(skb)) {' and actually use 'new_data' but
>> > instead fall through to the 'drop:' label and end up returning from
>> > the function without ever assigning 'new'data' to anything or freeing
>> > it. That leaks the memory allocated to 'new_data'.
>> >
>> > This patch fixes the memory leak by doing a kfree(new_data) in the
>> > case where build_skb() fails (or where allocation of 'new_data' itself
>> > fails, but in taht case it's just a harmless kfree(NULL)).
>> >
>> > Signed-off-by: Jesper Juhl <[email protected]>
...
>> Good catch, my bad.
>>
>> Thanks
>>
>> Acked-by: Eric Dumazet <[email protected]>
>
> Indeed - nice catch. Thanks Jesper.
>
> Acked-by: Eilon Greenstein <[email protected]>
Applied, thanks everyone.