Skip to content

Commit

Permalink
net_sched: sfq: fix mem alloc error recovery
Browse files Browse the repository at this point in the history 
Since commit 817fb15 (net_sched: sfq: allow divisor to be a
parameter), we can leave perturbation timer armed if a memory allocation
error aborts sfq_init().

Memory containing active struct timer_list is freed and kernel can
crash.

Call sfq_destroy() from sfq_init() to properly dismantle qdisc.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Eric Dumazet authored and David S. Miller committed Jan 4, 2012
1 parent 6cfb5e7 commit bd16a6c
Showing 1 changed file with 33 additions and 19 deletions.
52 changes: 33 additions & 19 deletions net/sched/sch_sfq.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -544,10 +544,38 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
return 0;
}

static void *sfq_alloc(size_t sz)
{
void *ptr = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN);

if (!ptr)
ptr = vmalloc(sz);
return ptr;
}

static void sfq_free(void *addr)
{
if (addr) {
if (is_vmalloc_addr(addr))
vfree(addr);
else
kfree(addr);
}
}

static void sfq_destroy(struct Qdisc *sch)
{
struct sfq_sched_data *q = qdisc_priv(sch);

tcf_destroy_chain(&q->filter_list);
q->perturb_period = 0;
del_timer_sync(&q->perturb_timer);
sfq_free(q->ht);
}

static int sfq_init(struct Qdisc *sch, struct nlattr *opt)
{
struct sfq_sched_data *q = qdisc_priv(sch);
size_t sz;
int i;

q->perturb_timer.function = sfq_perturbation;
Expand All @@ -574,12 +602,11 @@ static int sfq_init(struct Qdisc *sch, struct nlattr *opt)
return err;
}

sz = sizeof(q->ht[0]) * q->divisor;
q->ht = kmalloc(sz, GFP_KERNEL);
if (!q->ht && sz > PAGE_SIZE)
q->ht = vmalloc(sz);
if (!q->ht)
q->ht = sfq_alloc(sizeof(q->ht[0]) * q->divisor);
if (!q->ht) {
sfq_destroy(sch);
return -ENOMEM;
}
for (i = 0; i < q->divisor; i++)
q->ht[i] = SFQ_EMPTY_SLOT;

Expand All @@ -594,19 +621,6 @@ static int sfq_init(struct Qdisc *sch, struct nlattr *opt)
return 0;
}

static void sfq_destroy(struct Qdisc *sch)
{
struct sfq_sched_data *q = qdisc_priv(sch);

tcf_destroy_chain(&q->filter_list);
q->perturb_period = 0;
del_timer_sync(&q->perturb_timer);
if (is_vmalloc_addr(q->ht))
vfree(q->ht);
else
kfree(q->ht);
}

static int sfq_dump(struct Qdisc *sch, struct sk_buff *skb)
{
struct sfq_sched_data *q = qdisc_priv(sch);
Expand Down

0 comments on commit bd16a6c

Please sign in to comment.