From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael S. Tsirkin" Subject: [PATCH stable v2 3/3] virtio_net: don't leak memory or block when too many frags Date: Thu, 26 Dec 2013 15:32:55 +0200 Message-ID: <1388064752-15734-4-git-send-email-mst@redhat.com> References: <1388064752-15734-1-git-send-email-mst@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1388064752-15734-1-git-send-email-mst@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: virtualization-bounces@lists.linux-foundation.org Errors-To: virtualization-bounces@lists.linux-foundation.org To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, David Miller , Michael Dalton List-Id: virtualization@lists.linuxfoundation.org We leak an skb when there are too many frags, we also stop processing the packet in the middle, the result is almost sure to be loss of networking. Reported-by: Michael Dalton Acked-by: Michael Dalton Signed-off-by: Michael S. Tsirkin --- drivers/net/virtio_net.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index c0ed6d5..b8665588 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -344,7 +344,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, if (i >= MAX_SKB_FRAGS) { pr_debug("%s: packet too long\n", skb->dev->name); skb->dev->stats.rx_length_errors++; - return NULL; + goto err_frags; } page = virtqueue_get_buf(rq->vq, &len); if (!page) { @@ -365,6 +365,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, err_skb: give_pages(rq, page); while (--num_buf) { +err_frags: buf = virtqueue_get_buf(rq->vq, &len); if (unlikely(!buf)) { pr_debug("%s: rx error: %d buffers missing\n", -- MST From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753040Ab3LZN3J (ORCPT ); Thu, 26 Dec 2013 08:29:09 -0500 Received: from mx1.redhat.com ([209.132.183.28]:48502 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752985Ab3LZN3D (ORCPT ); Thu, 26 Dec 2013 08:29:03 -0500 Date: Thu, 26 Dec 2013 15:32:55 +0200 From: "Michael S. Tsirkin" To: netdev@vger.kernel.org Cc: David Miller , Rusty Russell , Michael Dalton , virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org Subject: [PATCH stable v2 3/3] virtio_net: don't leak memory or block when too many frags Message-ID: <1388064752-15734-4-git-send-email-mst@redhat.com> References: <1388064752-15734-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1388064752-15734-1-git-send-email-mst@redhat.com> X-Mutt-Fcc: =sent Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We leak an skb when there are too many frags, we also stop processing the packet in the middle, the result is almost sure to be loss of networking. Reported-by: Michael Dalton Acked-by: Michael Dalton Signed-off-by: Michael S. Tsirkin --- drivers/net/virtio_net.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index c0ed6d5..b8665588 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -344,7 +344,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, if (i >= MAX_SKB_FRAGS) { pr_debug("%s: packet too long\n", skb->dev->name); skb->dev->stats.rx_length_errors++; - return NULL; + goto err_frags; } page = virtqueue_get_buf(rq->vq, &len); if (!page) { @@ -365,6 +365,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, err_skb: give_pages(rq, page); while (--num_buf) { +err_frags: buf = virtqueue_get_buf(rq->vq, &len); if (unlikely(!buf)) { pr_debug("%s: rx error: %d buffers missing\n", -- MST