From 35b7675f726443ac3856400e0cf111b9dfc30e93 Mon Sep 17 00:00:00 2001 From: grehan Date: Fri, 11 Oct 2013 21:30:27 +0000 Subject: [PATCH] Fix vmbus channel memory leak where incorrect length parameter was being passed to contigfree(). Submitted by: Microsoft hyperv dev team Approved by: re@ (glebius) --- sys/dev/hyperv/include/hyperv.h | 3 +++ sys/dev/hyperv/vmbus/hv_channel.c | 16 ++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/sys/dev/hyperv/include/hyperv.h b/sys/dev/hyperv/include/hyperv.h index 36512698fa7d..4257b371c717 100644 --- a/sys/dev/hyperv/include/hyperv.h +++ b/sys/dev/hyperv/include/hyperv.h @@ -24,6 +24,8 @@ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ */ /** @@ -669,6 +671,7 @@ typedef struct hv_vmbus_channel { * Allocated memory for ring buffer */ void* ring_buffer_pages; + unsigned long ring_buffer_size; uint32_t ring_buffer_page_count; /* * send to parent diff --git a/sys/dev/hyperv/vmbus/hv_channel.c b/sys/dev/hyperv/vmbus/hv_channel.c index c467c2218469..103260a6adf7 100644 --- a/sys/dev/hyperv/vmbus/hv_channel.c +++ b/sys/dev/hyperv/vmbus/hv_channel.c @@ -104,17 +104,19 @@ hv_vmbus_channel_open( /* Allocate the ring buffer */ out = contigmalloc((send_ring_buffer_size + recv_ring_buffer_size), - M_DEVBUF, M_ZERO, 0UL, BUS_SPACE_MAXADDR, PAGE_SIZE, 0); + M_DEVBUF, M_ZERO, 0UL, BUS_SPACE_MAXADDR, PAGE_SIZE, 0); KASSERT(out != NULL, ("Error VMBUS: contigmalloc failed to allocate Ring Buffer!")); if (out == NULL) - return (ENOMEM); + return (ENOMEM); in = ((uint8_t *) out + send_ring_buffer_size); new_channel->ring_buffer_pages = out; - new_channel->ring_buffer_page_count = (send_ring_buffer_size - + recv_ring_buffer_size) >> PAGE_SHIFT; + new_channel->ring_buffer_page_count = (send_ring_buffer_size + + recv_ring_buffer_size) >> PAGE_SHIFT; + new_channel->ring_buffer_size = send_ring_buffer_size + + recv_ring_buffer_size; hv_vmbus_ring_buffer_init( &new_channel->outbound, @@ -539,10 +541,8 @@ hv_vmbus_channel_close(hv_vmbus_channel *channel) hv_ring_buffer_cleanup(&channel->outbound); hv_ring_buffer_cleanup(&channel->inbound); - contigfree( - channel->ring_buffer_pages, - channel->ring_buffer_page_count, - M_DEVBUF); + contigfree(channel->ring_buffer_pages, channel->ring_buffer_size, + M_DEVBUF); free(info, M_DEVBUF);