From: Simon Horman <horms@kernel.org>
To: Tariq Toukan <tariqt@nvidia.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
Saeed Mahameed <saeedm@nvidia.com>,
Leon Romanovsky <leon@kernel.org>,
netdev@vger.kernel.org, linux-rdma@vger.kernel.org,
linux-kernel@vger.kernel.org, Moshe Shemesh <moshe@nvidia.com>,
Mark Bloch <mbloch@nvidia.com>, Gal Pressman <gal@nvidia.com>,
Jianbo Liu <jianbol@nvidia.com>
Subject: Re: [PATCH net 2/2] net/mlx5e: Fix leak of Geneve TLV option object
Date: Thu, 22 May 2025 20:16:51 +0100 [thread overview]
Message-ID: <20250522191651.GL365796@horms.kernel.org> (raw)
In-Reply-To: <1747895286-1075233-3-git-send-email-tariqt@nvidia.com>
On Thu, May 22, 2025 at 09:28:06AM +0300, Tariq Toukan wrote:
> From: Jianbo Liu <jianbol@nvidia.com>
>
> Previously, a unique tunnel id was added for the matching on TC
> non-zero chains, to support inner header rewrite with goto action.
> Later, it was used to support VF tunnel offload for vxlan, then for
> Geneve and GRE. To support VF tunnel, a temporary mlx5_flow_spec is
> used to parse tunnel options. For Geneve, if there is TLV option, a
> object is created, or refcnt is added if already exists. But the
> temporary mlx5_flow_spec is directly freed after parsing, which causes
> the leak because no information regarding the object is saved in
> flow's mlx5_flow_spec, which is used to free the object when deleting
> the flow.
>
> To fix the leak, call mlx5_geneve_tlv_option_del() before free the
> temporary spec if it has TLV object.
>
> Fixes: 521933cdc4aa ("net/mlx5e: Support Geneve and GRE with VF tunnel offload")
> Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
> Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
> Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
> ---
> drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> index f1d908f61134..b9c1d7f8f05c 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> @@ -2028,9 +2028,8 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
> return err;
> }
>
> -static bool mlx5_flow_has_geneve_opt(struct mlx5e_tc_flow *flow)
> +static bool mlx5_flow_has_geneve_opt(struct mlx5_flow_spec *spec)
> {
> - struct mlx5_flow_spec *spec = &flow->attr->parse_attr->spec;
> void *headers_v = MLX5_ADDR_OF(fte_match_param,
> spec->match_value,
> misc_parameters_3);
> @@ -2069,7 +2068,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv,
> }
> complete_all(&flow->del_hw_done);
>
> - if (mlx5_flow_has_geneve_opt(flow))
> + if (mlx5_flow_has_geneve_opt(&attr->parse_attr->spec))
> mlx5_geneve_tlv_option_del(priv->mdev->geneve);
>
> if (flow->decap_route)
Hi,
The lines leading up to the hung below are:
err = mlx5e_tc_tun_parse(filter_dev, priv, tmp_spec, f, match_level);
if (err) {
kvfree(tmp_spec);
NL_SET_ERR_MSG_MOD(extack, "Failed to parse tunnel attributes");
netdev_warn(priv->netdev, "Failed to parse tunnel attributes");
I am wondering if the same resource leak described in the patch description
can occur if mlx5e_tc_tun_parse() fails after it successfully calls
tunnel->parse_tunnel().
> @@ -2580,6 +2579,8 @@ static int parse_tunnel_attr(struct mlx5e_priv *priv,
> return err;
> }
> err = mlx5e_tc_set_attr_rx_tun(flow, tmp_spec);
> + if (mlx5_flow_has_geneve_opt(tmp_spec))
> + mlx5_geneve_tlv_option_del(priv->mdev->geneve);
> kvfree(tmp_spec);
> if (err)
> return err;
> --
> 2.31.1
>
>
next prev parent reply other threads:[~2025-05-22 19:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-22 6:28 [PATCH net 0/2] mlx5 misc fixes 2025-05-22 Tariq Toukan
2025-05-22 6:28 ` [PATCH net 1/2] net/mlx5: Ensure fw pages are always allocated on same NUMA Tariq Toukan
2025-05-22 8:57 ` Dawid Osuchowski
2025-05-22 6:28 ` [PATCH net 2/2] net/mlx5e: Fix leak of Geneve TLV option object Tariq Toukan
2025-05-22 19:16 ` Simon Horman [this message]
2025-05-23 1:58 ` Jianbo Liu
2025-05-23 7:19 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250522191651.GL365796@horms.kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gal@nvidia.com \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mbloch@nvidia.com \
--cc=moshe@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.