| Message ID | 20201221085031.6591-1-dinghao.liu@zju.edu.cn (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net/mlx5e: Fix two double free cases | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 6 of 6 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 2 this patch: 2 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 22 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
| netdev/stable | success | Stable not CCed |
On Mon, Dec 21, 2020 at 04:50:31PM +0800, Dinghao Liu wrote: > mlx5e_create_ttc_table_groups() frees ft->g on failure of > kvzalloc(), but such failure will be caught by its caller > in mlx5e_create_ttc_table() and ft->g will be freed again > in mlx5e_destroy_flow_table(). The same issue also occurs > in mlx5e_create_ttc_table_groups(). > > Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> > --- > drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) I'm not thrilled to see release in the error flow that will be done in the different function. The missing piece is "ft->g = NULL" after kfree(). And also fixes lines are missing in all your patches. Thanks
> On Mon, Dec 21, 2020 at 04:50:31PM +0800, Dinghao Liu wrote: > > mlx5e_create_ttc_table_groups() frees ft->g on failure of > > kvzalloc(), but such failure will be caught by its caller > > in mlx5e_create_ttc_table() and ft->g will be freed again > > in mlx5e_destroy_flow_table(). The same issue also occurs > > in mlx5e_create_ttc_table_groups(). > > > > Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> > > --- > > drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++------ > > 1 file changed, 2 insertions(+), 6 deletions(-) > > I'm not thrilled to see release in the error flow that will be done in > the different function. The missing piece is "ft->g = NULL" after kfree(). > > And also fixes lines are missing in all your patches. > Thank you for your advice! I will resend a new patch soon. Regards, Dinghao
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c index fa8149f6eb08..63323c5b6a50 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c @@ -940,10 +940,8 @@ static int mlx5e_create_ttc_table_groups(struct mlx5e_ttc_table *ttc, if (!ft->g) return -ENOMEM; in = kvzalloc(inlen, GFP_KERNEL); - if (!in) { - kfree(ft->g); + if (!in) return -ENOMEM; - } /* L4 Group */ mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); @@ -1085,10 +1083,8 @@ static int mlx5e_create_inner_ttc_table_groups(struct mlx5e_ttc_table *ttc) if (!ft->g) return -ENOMEM; in = kvzalloc(inlen, GFP_KERNEL); - if (!in) { - kfree(ft->g); + if (!in) return -ENOMEM; - } /* L4 Group */ mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria);
mlx5e_create_ttc_table_groups() frees ft->g on failure of kvzalloc(), but such failure will be caught by its caller in mlx5e_create_ttc_table() and ft->g will be freed again in mlx5e_destroy_flow_table(). The same issue also occurs in mlx5e_create_ttc_table_groups(). Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> --- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)