diff mbox

bnx2x: Fix mem leak in bnx2x_tpa_stop() if build_skb() fails.

Message ID alpine.LNX.2.00.1202062224210.20532@swampdragon.chaosbits.net
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Jesper Juhl Feb. 6, 2012, 9:28 p.m. UTC 
We allocate memory for 'new_data' with kmalloc(). If we get the memory
we then try to build_skb() and if that should fail (which it can) we
do not enter 'if (likely(skb)) {' and actually use 'new_data' but
instead fall through to the 'drop:' label and end up returning from
the function without ever assigning 'new'data' to anything or freeing
it. That leaks the memory allocated to 'new_data'.

This patch fixes the memory leak by doing a kfree(new_data) in the
case where build_skb() fails (or where allocation of 'new_data' itself
fails, but in taht case it's just a harmless kfree(NULL)).

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

 No hardware to test, so compile tested only.

Comments

Eric Dumazet Feb. 6, 2012, 10:53 p.m. UTC | #1 
Le lundi 06 février 2012 à 22:28 +0100, Jesper Juhl a écrit :
> We allocate memory for 'new_data' with kmalloc(). If we get the memory
> we then try to build_skb() and if that should fail (which it can) we
> do not enter 'if (likely(skb)) {' and actually use 'new_data' but
> instead fall through to the 'drop:' label and end up returning from
> the function without ever assigning 'new'data' to anything or freeing
> it. That leaks the memory allocated to 'new_data'.
> 
> This patch fixes the memory leak by doing a kfree(new_data) in the
> case where build_skb() fails (or where allocation of 'new_data' itself
> fails, but in taht case it's just a harmless kfree(NULL)).
> 
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c |    3 +--
>  1 files changed, 1 insertions(+), 2 deletions(-)
> 
>  No hardware to test, so compile tested only.
> 
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index 03f3935..7aee469 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -523,7 +523,6 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
>  		skb = build_skb(data);
>  
>  	if (likely(skb)) {
> -
>  #ifdef BNX2X_STOP_ON_ERROR
>  		if (pad + len > fp->rx_buf_size) {
>  			BNX2X_ERR("skb_put is about to fail...  "
> @@ -557,7 +556,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
>  
>  		return;
>  	}
> -
> +	kfree(new_data);
>  drop:
>  	/* drop the packet and keep the buffer in the bin */
>  	DP(NETIF_MSG_RX_STATUS,
> -- 
> 1.7.9
> 
> 

Good catch, my bad.

Thanks

Acked-by: Eric Dumazet <eric.dumazet@gmail.com>



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eilon Greenstein Feb. 7, 2012, 6:55 a.m. UTC | #2 
On Mon, 2012-02-06 at 23:53 +0100, Eric Dumazet wrote:
> Le lundi 06 février 2012 à 22:28 +0100, Jesper Juhl a écrit :
> > We allocate memory for 'new_data' with kmalloc(). If we get the memory
> > we then try to build_skb() and if that should fail (which it can) we
> > do not enter 'if (likely(skb)) {' and actually use 'new_data' but
> > instead fall through to the 'drop:' label and end up returning from
> > the function without ever assigning 'new'data' to anything or freeing
> > it. That leaks the memory allocated to 'new_data'.
> > 
> > This patch fixes the memory leak by doing a kfree(new_data) in the
> > case where build_skb() fails (or where allocation of 'new_data' itself
> > fails, but in taht case it's just a harmless kfree(NULL)).
> > 
> > Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> > ---
> >  drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c |    3 +--
> >  1 files changed, 1 insertions(+), 2 deletions(-)
> > 
> >  No hardware to test, so compile tested only.
> > 
> > diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> > index 03f3935..7aee469 100644
> > --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> > +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> > @@ -523,7 +523,6 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
> >  		skb = build_skb(data);
> >  
> >  	if (likely(skb)) {
> > -
> >  #ifdef BNX2X_STOP_ON_ERROR
> >  		if (pad + len > fp->rx_buf_size) {
> >  			BNX2X_ERR("skb_put is about to fail...  "
> > @@ -557,7 +556,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
> >  
> >  		return;
> >  	}
> > -
> > +	kfree(new_data);
> >  drop:
> >  	/* drop the packet and keep the buffer in the bin */
> >  	DP(NETIF_MSG_RX_STATUS,
> > -- 
> > 1.7.9
> > 
> > 
> 
> Good catch, my bad.
> 
> Thanks
> 
> Acked-by: Eric Dumazet <eric.dumazet@gmail.com>

Indeed - nice catch. Thanks Jesper.

Acked-by: Eilon Greenstein <eilong@broadcom.com>





--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller Feb. 7, 2012, 6:14 p.m. UTC | #3 
From: "Eilon Greenstein" <eilong@broadcom.com>
Date: Tue, 7 Feb 2012 08:55:01 +0200

> On Mon, 2012-02-06 at 23:53 +0100, Eric Dumazet wrote:
>> Le lundi 06 février 2012 à 22:28 +0100, Jesper Juhl a écrit :
>> > We allocate memory for 'new_data' with kmalloc(). If we get the memory
>> > we then try to build_skb() and if that should fail (which it can) we
>> > do not enter 'if (likely(skb)) {' and actually use 'new_data' but
>> > instead fall through to the 'drop:' label and end up returning from
>> > the function without ever assigning 'new'data' to anything or freeing
>> > it. That leaks the memory allocated to 'new_data'.
>> > 
>> > This patch fixes the memory leak by doing a kfree(new_data) in the
>> > case where build_skb() fails (or where allocation of 'new_data' itself
>> > fails, but in taht case it's just a harmless kfree(NULL)).
>> > 
>> > Signed-off-by: Jesper Juhl <jj@chaosbits.net>
...
>> Good catch, my bad.
>> 
>> Thanks
>> 
>> Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
> 
> Indeed - nice catch. Thanks Jesper.
> 
> Acked-by: Eilon Greenstein <eilong@broadcom.com>

Applied, thanks everyone.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 03f3935..7aee469 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -523,7 +523,6 @@  static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
 		skb = build_skb(data);
 
 	if (likely(skb)) {
-
 #ifdef BNX2X_STOP_ON_ERROR
 		if (pad + len > fp->rx_buf_size) {
 			BNX2X_ERR("skb_put is about to fail...  "
@@ -557,7 +556,7 @@  static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
 
 		return;
 	}
-
+	kfree(new_data);
 drop:
 	/* drop the packet and keep the buffer in the bin */
 	DP(NETIF_MSG_RX_STATUS,