From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Luis Henriques To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Cc: "Michael S. Tsirkin" , Luis Henriques Subject: [PATCH 3.11 191/208] virtio_net: don't leak memory or block when too many frags Date: Mon, 13 Jan 2014 16:00:32 +0000 Message-Id: <1389628849-1614-192-git-send-email-luis.henriques@canonical.com> In-Reply-To: <1389628849-1614-1-git-send-email-luis.henriques@canonical.com> References: <1389628849-1614-1-git-send-email-luis.henriques@canonical.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.11.10.3 -stable review patch. If anyone has any objections, please let me know. ------------------ From: "Michael S. Tsirkin" We leak an skb when there are too many frags, we also stop processing the packet in the middle, the result is almost sure to be loss of networking. Reported-by: Michael Dalton Acked-by: Michael Dalton Signed-off-by: Michael S. Tsirkin Signed-off-by: Luis Henriques --- drivers/net/virtio_net.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index ec0e9f2..68692af 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -341,7 +341,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, if (i >= MAX_SKB_FRAGS) { pr_debug("%s: packet too long\n", skb->dev->name); skb->dev->stats.rx_length_errors++; - return NULL; + goto err_frags; } page = virtqueue_get_buf(rq->vq, &len); if (!page) { @@ -362,6 +362,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, err_skb: give_pages(rq, page); while (--num_buf) { +err_frags: buf = virtqueue_get_buf(rq->vq, &len); if (unlikely(!buf)) { pr_debug("%s: rx error: %d buffers missing\n", -- 1.8.3.2