NetBSD Problem Report #44196

From hash@abox3.so-net.ne.jp  Mon Dec  6 05:41:44 2010
Return-Path: <hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id ADE6863B8C4
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  6 Dec 2010 05:41:44 +0000 (UTC)
Message-Id: <20101206115153.E732.17947C80@abox3.so-net.ne.jp>
Date: Mon, 06 Dec 2010 11:54:53 +0900
From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Cc: hash@abox3.so-net.ne.jp
Subject: possible mbuf leak when writing to BPF with BIOCSFEEDBACK

>Number:         44196
>Category:       kern
>Synopsis:       possible mbuf leak when writing to BPF with BIOCSFEEDBACK
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 06 05:45:00 +0000 2010
>Closed-Date:    Fri Jan 13 16:29:42 +0000 2012
>Last-Modified:  Fri Jan 13 16:30:02 +0000 2012
>Originator:     Takahiro HAYASHI
>Release:        NetBSD-current 5.99.41
>Organization:
>Environment:
System: NetBSD halt 5.99.41 NetBSD 5.99.41 (HALT) #0: Fri Dec 3 22:48:54 JST 2010 root@halt:/usr/build2/obj.i386/sys/arch/i386/compile/HALT i386
Architecture: i386
Machine: i386
>Description:
	Writing to BIOCSFEEDBACK enabled BPF descriptor may cause mbuf
	leak under particular condition e.g. interface is down.

	Please see below patch (inspired from FreeBSD).
	In bpf_write() of sys/net/bpf.c the packet is sent by if_output
	and return value is stored in `error'.  If error != 0,
	duplicated mbuf `mc' is not sent to upper layer and not freed.
	This causes mbuf leakage.

Index: sys/net/bpf.c
===================================================================
RCS file: /cvsroot/src/sys/net/bpf.c,v
retrieving revision 1.158
diff -u -c -r1.158 bpf.c
*** sys/net/bpf.c	14 Apr 2010 13:31:33 -0000	1.158
--- sys/net/bpf.c	6 Dec 2010 01:53:25 -0000
***************
*** 674,681 ****
  	error = (*ifp->if_output)(ifp, m, (struct sockaddr *) &dst, NULL);

  	if (mc != NULL) {
  		if (error == 0)
  			(*ifp->if_input)(ifp, mc);
! 	} else
! 		m_freem(mc);
  	splx(s);
  	KERNEL_UNLOCK_ONE(NULL);
  	/*
--- 676,684 ----
  	error = (*ifp->if_output)(ifp, m, (struct sockaddr *) &dst, NULL);

  	if (mc != NULL) {
  		if (error == 0)
  			(*ifp->if_input)(ifp, mc);
! 		else
! 			m_freem(mc);
! 	}
  	splx(s);
  	KERNEL_UNLOCK_ONE(NULL);
  	/*
>How-To-Repeat:
>Fix:
	see above.

-- 
Takahiro HAYASHI <hash at abox3 dot so-net dot ne dot jp>

>Release-Note:

>Audit-Trail:
From: "Antti Kantee" <pooka@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/44196 CVS commit: src/tests/net/bpf
Date: Mon, 6 Dec 2010 11:32:01 +0000

 Module Name:	src
 Committed By:	pooka
 Date:		Mon Dec  6 11:32:01 UTC 2010

 Modified Files:
 	src/tests/net/bpf: Makefile
 Added Files:
 	src/tests/net/bpf: t_bpf.c

 Log Message:
 Add an xfail test for the mbuf leak described in PR kern/44196.

 This is yet another example of a simple test which would be much
 trickier to execute against the host kernel.  You would either need
 to put networking in a complete lockdown, or do some "statistical"
 methods where you trigger the bug many many times and attempt to
 ascertain a rising trend in mbuf count.  And, of course, the leaked
 mbufs don't go away from the host kernel once the test ends.  In
 contrast, we *know* that there is no other networking activity in
 a rump kernel, so we can execute the operation exactly once, plus
 the leaked mbuf "disappears" when the test is done.


 To generate a diff of this commit:
 cvs rdiff -u -r1.1 -r1.2 src/tests/net/bpf/Makefile
 cvs rdiff -u -r0 -r1.1 src/tests/net/bpf/t_bpf.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: christos@NetBSD.org
State-Changed-When: Fri, 13 Jan 2012 11:29:42 -0500
State-Changed-Why:
fixed, thanks!


From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/44196 CVS commit: src/tests/net/bpf
Date: Fri, 13 Jan 2012 11:28:44 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Fri Jan 13 16:28:44 UTC 2012

 Modified Files:
 	src/tests/net/bpf: t_bpf.c

 Log Message:
 PR/44196 is now fixed, so don't expect a failure.


 To generate a diff of this commit:
 cvs rdiff -u -r1.3 -r1.4 src/tests/net/bpf/t_bpf.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:

Home	PR Database Search