| Message ID | 20250411022916.44698-2-bsdhenrymartin@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net/mlx5: Fix null-ptr-deref in TTC table creation | expand |
On Fri, Apr 11, 2025 at 10:29:16AM +0800, Henry Martin wrote: > Add NULL check for mlx5_get_flow_namespace() returns in > mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent > NULL pointer dereference. > > Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table") > Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com> > --- > V2 -> V3: No functional changes, just gathering the patches in a series. > V1 -> V2: Add a empty line after the return statement. > > drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > index eb3bd9c7f66e..18cc6960a5c1 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > @@ -655,6 +655,9 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, > } > > ns = mlx5_get_flow_namespace(dev, params->ns_type); > + if (!ns) > + return ERR_PTR(-EOPNOTSUPP); There is ttc = kvzalloc() before. I think you should call kvfree(ttc) before returning. It looks like the same leak is already when params->ns_type is unknown. > + > groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] : > &inner_ttc_groups[TTC_GROUPS_DEFAULT]; > > @@ -728,6 +731,9 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, > } > > ns = mlx5_get_flow_namespace(dev, params->ns_type); > + if (!ns) > + return ERR_PTR(-EOPNOTSUPP); The same here. > + > groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] : > &ttc_groups[TTC_GROUPS_DEFAULT]; > > -- > 2.34.1
> There is ttc = kvzalloc() before. I think you should call kvfree(ttc) > before returning. It looks like the same leak is already when > params->ns_type is unknown. Thanks for the review and the helpful suggestions! I've addressed the kvfree(ttc) memory leak issue and updated the logic accordingly in both code paths. The updated patch has been sent out as v4. Regards, Henry Michal Swiatkowski <michal.swiatkowski@linux.intel.com> 于2025年4月11日周五 13:34写道: > > On Fri, Apr 11, 2025 at 10:29:16AM +0800, Henry Martin wrote: > > Add NULL check for mlx5_get_flow_namespace() returns in > > mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent > > NULL pointer dereference. > > > > Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table") > > Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com> > > --- > > V2 -> V3: No functional changes, just gathering the patches in a series. > > V1 -> V2: Add a empty line after the return statement. > > > > drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > > index eb3bd9c7f66e..18cc6960a5c1 100644 > > --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > > +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > > @@ -655,6 +655,9 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, > > } > > > > ns = mlx5_get_flow_namespace(dev, params->ns_type); > > + if (!ns) > > + return ERR_PTR(-EOPNOTSUPP); > > There is ttc = kvzalloc() before. I think you should call kvfree(ttc) > before returning. It looks like the same leak is already when > params->ns_type is unknown. > > > + > > groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] : > > &inner_ttc_groups[TTC_GROUPS_DEFAULT]; > > > > @@ -728,6 +731,9 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, > > } > > > > ns = mlx5_get_flow_namespace(dev, params->ns_type); > > + if (!ns) > > + return ERR_PTR(-EOPNOTSUPP); > > The same here. > > > + > > groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] : > > &ttc_groups[TTC_GROUPS_DEFAULT]; > > > > -- > > 2.34.1
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c index eb3bd9c7f66e..18cc6960a5c1 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c @@ -655,6 +655,9 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, } ns = mlx5_get_flow_namespace(dev, params->ns_type); + if (!ns) + return ERR_PTR(-EOPNOTSUPP); + groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] : &inner_ttc_groups[TTC_GROUPS_DEFAULT]; @@ -728,6 +731,9 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, } ns = mlx5_get_flow_namespace(dev, params->ns_type); + if (!ns) + return ERR_PTR(-EOPNOTSUPP); + groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] : &ttc_groups[TTC_GROUPS_DEFAULT];
Add NULL check for mlx5_get_flow_namespace() returns in mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent NULL pointer dereference. Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table") Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com> --- V2 -> V3: No functional changes, just gathering the patches in a series. V1 -> V2: Add a empty line after the return statement. drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 6 ++++++ 1 file changed, 6 insertions(+)