Re: Possible leaks in network drivers

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Eric Sesterhenn <snakebyte@gmx.de>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-kernel@vger.kernel.org, jgarzik@pobox.com, kmliu@sis.com
Subject: Re: Possible leaks in network drivers
Date: Wed, 21 Jun 2006 19:50:56 +0200	[thread overview]
Message-ID: <1150912256.8784.4.camel@alice> (raw)
In-Reply-To: <1150909982.15275.100.camel@localhost.localdomain>

On Wed, 2006-06-21 at 18:13 +0100, Alan Cox wrote:
> Ar Mer, 2006-06-21 am 18:28 +0200, ysgrifennodd Eric Sesterhenn:
> > of the driver. Where we call skb=skb_padto(skb, ETH_ZLEN),
> > and dont free the skb later when something goes wrong.
> 
> skb_padto() returns either a new buffer or the existing one depending
> upon the space situation. If it returns a new buffer then it frees the
> old one.
> 
> The sequence is
> 
> dev_queue_xmit(skb)
> 	->hard_start_xmit(dev, skb)
> 	if (0)
> 		free skb
> 	return
> 
> Which I think means that the error path for a short packet would double
> free the skb buffer and leak nskb.
> 
> 
> So these drivers should indeed be checking their status before they
> clone the buffer. At the point they do an skb_padto they must not fail
> if the skb_padto succeeds.

So something like this would be the correct fix for the example?

Fix skb leak found by coverity checker (id #628), skb_put() might
return a new skb, which gets never freed when we return with
NETDEV_TX_BUSY. This patch moves the check above the skb_put().

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>

--- linux-2.6.17-git2/drivers/net/sis190.c.orig	2006-06-21 19:44:18.000000000 +0200
+++ linux-2.6.17-git2/drivers/net/sis190.c	2006-06-21 19:46:06.000000000 +0200
@@ -1155,6 +1155,18 @@ static int sis190_start_xmit(struct sk_b
 	struct TxDesc *desc;
 	dma_addr_t mapping;
 
+
+	entry = tp->cur_tx % NUM_TX_DESC;
+	desc = tp->TxDescRing + entry;
+
+	if (unlikely(le32_to_cpu(desc->status) & OWNbit)) {
+		netif_stop_queue(dev);
+		net_tx_err(tp, KERN_ERR PFX
+			"%s: BUG! Tx Ring full when queue awake!\n",
+			dev->name);
+		return NETDEV_TX_BUSY;
+	}
+
 	if (unlikely(skb->len < ETH_ZLEN)) {
 		skb = skb_padto(skb, ETH_ZLEN);
 		if (!skb) {
@@ -1166,17 +1178,6 @@ static int sis190_start_xmit(struct sk_b
 		len = skb->len;
 	}
 
-	entry = tp->cur_tx % NUM_TX_DESC;
-	desc = tp->TxDescRing + entry;
-
-	if (unlikely(le32_to_cpu(desc->status) & OWNbit)) {
-		netif_stop_queue(dev);
-		net_tx_err(tp, KERN_ERR PFX
-			   "%s: BUG! Tx Ring full when queue awake!\n",
-			   dev->name);
-		return NETDEV_TX_BUSY;
-	}
-
 	mapping = pci_map_single(tp->pci_dev, skb->data, len, PCI_DMA_TODEVICE);
 
 	tp->Tx_skbuff[entry] = skb;

next prev parent reply	other threads:[~2006-06-21 17:51 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-06-21 16:28 Possible leaks in network drivers Eric Sesterhenn
2006-06-21 17:05 ` Randy.Dunlap
2006-06-21 17:13 ` Memory corruption in 8390.c ? (was Re: Possible leaks in network drivers) Alan Cox
2006-06-21 17:23   ` Memory corruption in 8390.c ? Ben Pfaff
2006-06-21 17:54     ` Alan Cox
2006-06-21 18:03       ` Ben Pfaff
2006-06-21 20:50         ` Alan Cox
2006-06-21 17:59     ` PATCH: Re: Memory corruption in 8390.c ? (and hp100 xirc2ps smc9194 ....) Alan Cox
2006-06-21 19:00       ` Olivier Galibert
2006-06-21 17:50   ` Eric Sesterhenn [this message]
2006-06-22  1:41     ` Possible leaks in network drivers Herbert Xu
2006-06-22  0:55   ` Memory corruption in 8390.c ? (was Re: Possible leaks in network drivers) Herbert Xu
2006-06-22  2:30     ` Herbert Xu
2006-06-22  8:22       ` Jeff Garzik
2006-06-22  8:29         ` Herbert Xu
2006-06-22  8:57           ` Jeff Garzik
2006-06-22  9:02             ` Herbert Xu
2006-06-22  9:12               ` Herbert Xu
2006-06-22  8:26       ` Memory corruption in 8390.c ? David Miller
2006-06-22  8:30         ` Herbert Xu
2006-06-22  8:34           ` David Miller
2006-06-22 11:34             ` Alan Cox
2006-06-22 11:29               ` Herbert Xu
2006-06-22 13:25                 ` Alan Cox
2006-06-23  3:32                   ` Jeff Garzik
2006-06-22 11:33               ` Arjan van de Ven
2006-06-22 12:00                 ` Erik Mouw
2006-06-22 13:10                 ` Alan Cox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1150912256.8784.4.camel@alice \
    --to=snakebyte@gmx.de \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=jgarzik@pobox.com \
    --cc=kmliu@sis.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox