NetBSD Problem Report #44196
From hash@abox3.so-net.ne.jp Mon Dec 6 05:41:44 2010
Return-Path: <hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id ADE6863B8C4
for <gnats-bugs@gnats.NetBSD.org>; Mon, 6 Dec 2010 05:41:44 +0000 (UTC)
Message-Id: <20101206115153.E732.17947C80@abox3.so-net.ne.jp>
Date: Mon, 06 Dec 2010 11:54:53 +0900
From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Cc: hash@abox3.so-net.ne.jp
Subject: possible mbuf leak when writing to BPF with BIOCSFEEDBACK
>Number: 44196
>Category: kern
>Synopsis: possible mbuf leak when writing to BPF with BIOCSFEEDBACK
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Dec 06 05:45:00 +0000 2010
>Closed-Date: Fri Jan 13 16:29:42 +0000 2012
>Last-Modified: Fri Jan 13 16:30:02 +0000 2012
>Originator: Takahiro HAYASHI
>Release: NetBSD-current 5.99.41
>Organization:
>Environment:
System: NetBSD halt 5.99.41 NetBSD 5.99.41 (HALT) #0: Fri Dec 3 22:48:54 JST 2010 root@halt:/usr/build2/obj.i386/sys/arch/i386/compile/HALT i386
Architecture: i386
Machine: i386
>Description:
Writing to BIOCSFEEDBACK enabled BPF descriptor may cause mbuf
leak under particular condition e.g. interface is down.
Please see below patch (inspired from FreeBSD).
In bpf_write() of sys/net/bpf.c the packet is sent by if_output
and return value is stored in `error'. If error != 0,
duplicated mbuf `mc' is not sent to upper layer and not freed.
This causes mbuf leakage.
Index: sys/net/bpf.c
===================================================================
RCS file: /cvsroot/src/sys/net/bpf.c,v
retrieving revision 1.158
diff -u -c -r1.158 bpf.c
*** sys/net/bpf.c 14 Apr 2010 13:31:33 -0000 1.158
--- sys/net/bpf.c 6 Dec 2010 01:53:25 -0000
***************
*** 674,681 ****
error = (*ifp->if_output)(ifp, m, (struct sockaddr *) &dst, NULL);
if (mc != NULL) {
if (error == 0)
(*ifp->if_input)(ifp, mc);
! } else
! m_freem(mc);
splx(s);
KERNEL_UNLOCK_ONE(NULL);
/*
--- 676,684 ----
error = (*ifp->if_output)(ifp, m, (struct sockaddr *) &dst, NULL);
if (mc != NULL) {
if (error == 0)
(*ifp->if_input)(ifp, mc);
! else
! m_freem(mc);
! }
splx(s);
KERNEL_UNLOCK_ONE(NULL);
/*
>How-To-Repeat:
>Fix:
see above.
--
Takahiro HAYASHI <hash at abox3 dot so-net dot ne dot jp>
>Release-Note:
>Audit-Trail:
From: "Antti Kantee" <pooka@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44196 CVS commit: src/tests/net/bpf
Date: Mon, 6 Dec 2010 11:32:01 +0000
Module Name: src
Committed By: pooka
Date: Mon Dec 6 11:32:01 UTC 2010
Modified Files:
src/tests/net/bpf: Makefile
Added Files:
src/tests/net/bpf: t_bpf.c
Log Message:
Add an xfail test for the mbuf leak described in PR kern/44196.
This is yet another example of a simple test which would be much
trickier to execute against the host kernel. You would either need
to put networking in a complete lockdown, or do some "statistical"
methods where you trigger the bug many many times and attempt to
ascertain a rising trend in mbuf count. And, of course, the leaked
mbufs don't go away from the host kernel once the test ends. In
contrast, we *know* that there is no other networking activity in
a rump kernel, so we can execute the operation exactly once, plus
the leaked mbuf "disappears" when the test is done.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/tests/net/bpf/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/net/bpf/t_bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: christos@NetBSD.org
State-Changed-When: Fri, 13 Jan 2012 11:29:42 -0500
State-Changed-Why:
fixed, thanks!
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44196 CVS commit: src/tests/net/bpf
Date: Fri, 13 Jan 2012 11:28:44 -0500
Module Name: src
Committed By: christos
Date: Fri Jan 13 16:28:44 UTC 2012
Modified Files:
src/tests/net/bpf: t_bpf.c
Log Message:
PR/44196 is now fixed, so don't expect a failure.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/tests/net/bpf/t_bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.