d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vmbus channel memory leak where incorrect length parameter was

Browse Source 
being passed to contigfree().

Submitted by:	Microsoft hyperv dev team
Approved by:	re@ (glebius)
This commit is contained in:
grehan 2013-10-11 21:30:27 +00:00
parent b1f224fcfd
commit 35b7675f72
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/dev/hyperv/include/hyperv.h
View File

@ -24,6 +24,8 @@
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/**
@ -669,6 +671,7 @@ typedef struct hv_vmbus_channel {
* Allocated memory for ring buffer
*/
void* ring_buffer_pages;
unsigned long ring_buffer_size;
uint32_t ring_buffer_page_count;
/*
* send to parent

16
sys/dev/hyperv/vmbus/hv_channel.c
View File

@ -104,17 +104,19 @@ hv_vmbus_channel_open(
/* Allocate the ring buffer */
out = contigmalloc((send_ring_buffer_size + recv_ring_buffer_size),
M_DEVBUF, M_ZERO, 0UL, BUS_SPACE_MAXADDR, PAGE_SIZE, 0);
M_DEVBUF, M_ZERO, 0UL, BUS_SPACE_MAXADDR, PAGE_SIZE, 0);
KASSERT(out != NULL,
("Error VMBUS: contigmalloc failed to allocate Ring Buffer!"));
if (out == NULL)
return (ENOMEM);
return (ENOMEM);
in = ((uint8_t *) out + send_ring_buffer_size);
new_channel->ring_buffer_pages = out;
new_channel->ring_buffer_page_count = (send_ring_buffer_size
+ recv_ring_buffer_size) >> PAGE_SHIFT;
new_channel->ring_buffer_page_count = (send_ring_buffer_size +
recv_ring_buffer_size) >> PAGE_SHIFT;
new_channel->ring_buffer_size = send_ring_buffer_size +
recv_ring_buffer_size;
hv_vmbus_ring_buffer_init(
&new_channel->outbound,
@ -539,10 +541,8 @@ hv_vmbus_channel_close(hv_vmbus_channel *channel)
hv_ring_buffer_cleanup(&channel->outbound);
hv_ring_buffer_cleanup(&channel->inbound);
contigfree(
channel->ring_buffer_pages,
channel->ring_buffer_page_count,
M_DEVBUF);
contigfree(channel->ring_buffer_pages, channel->ring_buffer_size,
M_DEVBUF);
free(info, M_DEVBUF);