From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael S. Tsirkin" Subject: [PATCH stable] virtio_net: don't leak memory or block when too many frags Date: Wed, 25 Dec 2013 22:13:18 +0200 Message-ID: <1387999653-22139-1-git-send-email-mst@redhat.com> References: <1387983339-1172-1-git-send-email-mst@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, David Miller , Michael Dalton To: netdev@vger.kernel.org Return-path: Content-Disposition: inline In-Reply-To: <1387983339-1172-1-git-send-email-mst@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: virtualization-bounces@lists.linux-foundation.org Errors-To: virtualization-bounces@lists.linux-foundation.org List-Id: netdev.vger.kernel.org We leak an skb when there are too many frags, we also stop processing the packet in the middle, the result is almost sure to be loss of networking. Reported-by: Michael Dalton Signed-off-by: Michael S. Tsirkin --- Note: this path is gone upstream, so this patch is for stable kernel only. This is on top of series: virtio-net: backport error handling bugfix that I sent previously (and that this is in reply to). drivers/net/virtio_net.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index c0ed6d5..86fe1e7 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -344,7 +344,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, if (i >= MAX_SKB_FRAGS) { pr_debug("%s: packet too long\n", skb->dev->name); skb->dev->stats.rx_length_errors++; - return NULL; + goto err_frags; } page = virtqueue_get_buf(rq->vq, &len); if (!page) { @@ -364,6 +364,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, return skb; err_skb: give_pages(rq, page); while (--num_buf) { +err_frags: buf = virtqueue_get_buf(rq->vq, &len); if (unlikely(!buf)) { -- MST