From: kaf24@firebug.cl.cam.ac.uk Date: Fri, 9 Jun 2006 13:10:32 +0000 (+0100) Subject: [NET] front: There's a small leak on a couple error paths in setup_device(). X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~15972^2~31 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=720b2f61b3f55d5881b0d52222e05e18b146d811;p=xen.git [NET] front: There's a small leak on a couple error paths in setup_device(). While there rearrange the ring setup order slightly to simplify error path since netif_free() will cleanup once ring_ref is valid. And use get_zeroed_page() instead of __get_free_page()/memset(). Handle error if bind_evtchn_to_irqhandler() fails, as bad info->irq value is likely to cause oops later. In create_device(), gnttab_free_grant_references() is accidentally called twice on tx_head during cleanup from failed gnttab_alloc_grant_references() on rx_head, which could corrupt gnttab_free_count. Signed-off-by: Chris Wright --- diff --git a/linux-2.6-xen-sparse/drivers/xen/netfront/netfront.c b/linux-2.6-xen-sparse/drivers/xen/netfront/netfront.c index fec3a4ea4a..99649fa396 100644 --- a/linux-2.6-xen-sparse/drivers/xen/netfront/netfront.c +++ b/linux-2.6-xen-sparse/drivers/xen/netfront/netfront.c @@ -338,35 +338,36 @@ static int setup_device(struct xenbus_device *dev, struct netfront_info *info) info->tx.sring = NULL; info->irq = 0; - txs = (struct netif_tx_sring *)__get_free_page(GFP_KERNEL); + txs = (struct netif_tx_sring *)get_zeroed_page(GFP_KERNEL); if (!txs) { err = -ENOMEM; xenbus_dev_fatal(dev, err, "allocating tx ring page"); goto fail; } - rxs = (struct netif_rx_sring *)__get_free_page(GFP_KERNEL); + SHARED_RING_INIT(txs); + FRONT_RING_INIT(&info->tx, txs, PAGE_SIZE); + + err = xenbus_grant_ring(dev, virt_to_mfn(txs)); + if (err < 0) { + free_page((unsigned long)txs); + goto fail; + } + info->tx_ring_ref = err; + + rxs = (struct netif_rx_sring *)get_zeroed_page(GFP_KERNEL); if (!rxs) { err = -ENOMEM; xenbus_dev_fatal(dev, err, "allocating rx ring page"); goto fail; } - memset(txs, 0, PAGE_SIZE); - memset(rxs, 0, PAGE_SIZE); - - SHARED_RING_INIT(txs); - FRONT_RING_INIT(&info->tx, txs, PAGE_SIZE); - SHARED_RING_INIT(rxs); FRONT_RING_INIT(&info->rx, rxs, PAGE_SIZE); - err = xenbus_grant_ring(dev, virt_to_mfn(txs)); - if (err < 0) - goto fail; - info->tx_ring_ref = err; - err = xenbus_grant_ring(dev, virt_to_mfn(rxs)); - if (err < 0) + if (err < 0) { + free_page((unsigned long)rxs); goto fail; + } info->rx_ring_ref = err; err = xenbus_alloc_evtchn(dev, &info->evtchn); @@ -374,10 +375,11 @@ static int setup_device(struct xenbus_device *dev, struct netfront_info *info) goto fail; memcpy(netdev->dev_addr, info->mac, ETH_ALEN); - info->irq = bind_evtchn_to_irqhandler( - info->evtchn, netif_int, SA_SAMPLE_RANDOM, netdev->name, - netdev); - + err = bind_evtchn_to_irqhandler(info->evtchn, netif_int, + SA_SAMPLE_RANDOM, netdev->name, netdev); + if (err < 0) + goto fail; + info->irq = err; return 0; fail: @@ -1397,7 +1399,6 @@ static struct net_device * __devinit create_netdev(int handle, if (gnttab_alloc_grant_references(RX_MAX_TARGET, &np->gref_rx_head) < 0) { printk(KERN_ALERT "#### netfront can't alloc rx grant refs\n"); - gnttab_free_grant_references(np->gref_tx_head); err = -ENOMEM; goto exit_free_tx; }