* [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation
@ 2025-04-16 9:22 Henry Martin
2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Henry Martin @ 2025-04-16 9:22 UTC (permalink / raw)
To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, bsdhenrymartin, mbloch, michal.swiatkowski, amirtz
Cc: netdev, linux-rdma, linux-kernel
This patch series addresses two issues in the
mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() functions:
1. A potential NULL pointer dereference if mlx5_get_flow_namespace()
returns NULL.
2. A memory leak in the error path when ttc_type is invalid (default:
switch case).
Henry Martin (2):
net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
net/mlx5: Move ttc allocation after switch case to prevent leaks
.../ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 26 +++++++++++++------
1 file changed, 18 insertions(+), 8 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
@ 2025-04-16 9:22 ` Henry Martin
2025-04-16 19:00 ` Markus Elfring
2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
2025-04-16 18:38 ` [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring
2 siblings, 1 reply; 9+ messages in thread
From: Henry Martin @ 2025-04-16 9:22 UTC (permalink / raw)
To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, bsdhenrymartin, mbloch, michal.swiatkowski, amirtz
Cc: netdev, linux-rdma, linux-kernel
Add NULL check for mlx5_get_flow_namespace() returns in
mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
NULL pointer dereference.
Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Mark Bloch <mbloch@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
---
drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
index eb3bd9c7f66e..066121fed718 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
@@ -655,6 +655,11 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
}
ns = mlx5_get_flow_namespace(dev, params->ns_type);
+ if (!ns) {
+ kvfree(ttc);
+ return ERR_PTR(-EOPNOTSUPP);
+ }
+
groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
&inner_ttc_groups[TTC_GROUPS_DEFAULT];
@@ -728,6 +733,11 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
}
ns = mlx5_get_flow_namespace(dev, params->ns_type);
+ if (!ns) {
+ kvfree(ttc);
+ return ERR_PTR(-EOPNOTSUPP);
+ }
+
groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
&ttc_groups[TTC_GROUPS_DEFAULT];
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks
2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
@ 2025-04-16 9:22 ` Henry Martin
2025-04-16 11:06 ` Michal Swiatkowski
2025-04-16 12:02 ` Mark Bloch
2025-04-16 18:38 ` [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring
2 siblings, 2 replies; 9+ messages in thread
From: Henry Martin @ 2025-04-16 9:22 UTC (permalink / raw)
To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, bsdhenrymartin, mbloch, michal.swiatkowski, amirtz
Cc: netdev, linux-rdma, linux-kernel
Relocate the memory allocation for ttc table after the switch statement
that validates params->ns_type in both mlx5_create_inner_ttc_table() and
mlx5_create_ttc_table(). This ensures memory is only allocated after
confirming valid input, eliminating potential memory leaks when invalid
ns_type cases occur.
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
---
.../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
index 066121fed718..513dafd5ebf2 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
@@ -637,10 +637,6 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
bool use_l4_type;
int err;
- ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
- if (!ttc)
- return ERR_PTR(-ENOMEM);
-
switch (params->ns_type) {
case MLX5_FLOW_NAMESPACE_PORT_SEL:
use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
@@ -654,6 +650,10 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
return ERR_PTR(-EINVAL);
}
+ ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
+ if (!ttc)
+ return ERR_PTR(-ENOMEM);
+
ns = mlx5_get_flow_namespace(dev, params->ns_type);
if (!ns) {
kvfree(ttc);
@@ -715,10 +715,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
bool use_l4_type;
int err;
- ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
- if (!ttc)
- return ERR_PTR(-ENOMEM);
-
switch (params->ns_type) {
case MLX5_FLOW_NAMESPACE_PORT_SEL:
use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
@@ -732,6 +728,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
return ERR_PTR(-EINVAL);
}
+ ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
+ if (!ttc)
+ return ERR_PTR(-ENOMEM);
+
ns = mlx5_get_flow_namespace(dev, params->ns_type);
if (!ns) {
kvfree(ttc);
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks
2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
@ 2025-04-16 11:06 ` Michal Swiatkowski
2025-04-16 12:02 ` Mark Bloch
1 sibling, 0 replies; 9+ messages in thread
From: Michal Swiatkowski @ 2025-04-16 11:06 UTC (permalink / raw)
To: Henry Martin
Cc: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, mbloch, michal.swiatkowski, amirtz, netdev, linux-rdma,
linux-kernel
On Wed, Apr 16, 2025 at 05:22:43PM +0800, Henry Martin wrote:
> Relocate the memory allocation for ttc table after the switch statement
> that validates params->ns_type in both mlx5_create_inner_ttc_table() and
> mlx5_create_ttc_table(). This ensures memory is only allocated after
> confirming valid input, eliminating potential memory leaks when invalid
> ns_type cases occur.
>
> Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
> ---
> .../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> index 066121fed718..513dafd5ebf2 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> @@ -637,10 +637,6 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
> bool use_l4_type;
> int err;
>
> - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> - if (!ttc)
> - return ERR_PTR(-ENOMEM);
> -
> switch (params->ns_type) {
> case MLX5_FLOW_NAMESPACE_PORT_SEL:
> use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
> @@ -654,6 +650,10 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
> return ERR_PTR(-EINVAL);
> }
>
> + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> + if (!ttc)
> + return ERR_PTR(-ENOMEM);
> +
> ns = mlx5_get_flow_namespace(dev, params->ns_type);
> if (!ns) {
> kvfree(ttc);
> @@ -715,10 +715,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
> bool use_l4_type;
> int err;
>
> - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> - if (!ttc)
> - return ERR_PTR(-ENOMEM);
> -
> switch (params->ns_type) {
> case MLX5_FLOW_NAMESPACE_PORT_SEL:
> use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
> @@ -732,6 +728,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
> return ERR_PTR(-EINVAL);
> }
>
> + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> + if (!ttc)
> + return ERR_PTR(-ENOMEM);
> +
> ns = mlx5_get_flow_namespace(dev, params->ns_type);
> if (!ns) {
> kvfree(ttc);
Thanks for fixing
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks
2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
2025-04-16 11:06 ` Michal Swiatkowski
@ 2025-04-16 12:02 ` Mark Bloch
2025-04-17 15:04 ` Jakub Kicinski
1 sibling, 1 reply; 9+ messages in thread
From: Mark Bloch @ 2025-04-16 12:02 UTC (permalink / raw)
To: Henry Martin, saeedm, leon, tariqt, andrew+netdev, davem,
edumazet, kuba, pabeni, michal.swiatkowski, amirtz
Cc: netdev, linux-rdma, linux-kernel
On 16/04/2025 12:22, Henry Martin wrote:
> Relocate the memory allocation for ttc table after the switch statement
> that validates params->ns_type in both mlx5_create_inner_ttc_table() and
> mlx5_create_ttc_table(). This ensures memory is only allocated after
> confirming valid input, eliminating potential memory leaks when invalid
> ns_type cases occur.
>
> Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
> ---
> .../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> index 066121fed718..513dafd5ebf2 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> @@ -637,10 +637,6 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
> bool use_l4_type;
> int err;
>
> - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> - if (!ttc)
> - return ERR_PTR(-ENOMEM);
> -
> switch (params->ns_type) {
> case MLX5_FLOW_NAMESPACE_PORT_SEL:
> use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
> @@ -654,6 +650,10 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
> return ERR_PTR(-EINVAL);
> }
>
> + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> + if (!ttc)
> + return ERR_PTR(-ENOMEM);
> +
> ns = mlx5_get_flow_namespace(dev, params->ns_type);
> if (!ns) {
> kvfree(ttc);
> @@ -715,10 +715,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
> bool use_l4_type;
> int err;
>
> - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> - if (!ttc)
> - return ERR_PTR(-ENOMEM);
> -
> switch (params->ns_type) {
> case MLX5_FLOW_NAMESPACE_PORT_SEL:
> use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
> @@ -732,6 +728,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
> return ERR_PTR(-EINVAL);
> }
>
> + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
> + if (!ttc)
> + return ERR_PTR(-ENOMEM);
> +
> ns = mlx5_get_flow_namespace(dev, params->ns_type);
> if (!ns) {
> kvfree(ttc);
Reviewed-by: Mark Bloch <mbloch@nvidia.com>
Mark
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation
2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
@ 2025-04-16 18:38 ` Markus Elfring
2 siblings, 0 replies; 9+ messages in thread
From: Markus Elfring @ 2025-04-16 18:38 UTC (permalink / raw)
To: Henry Martin, linux-rdma, netdev
Cc: LKML, Amir Tzin, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Leon Romanovsky, Mark Bloch, Michal Swiatkowski,
Paolo Abeni, Saeed Mahameed, Tariq Toukan
> This patch series addresses two issues in …
It would have been helpful to extend patch version descriptions accordingly.
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.15-rc2#n310
Regards,
Markus
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
@ 2025-04-16 19:00 ` Markus Elfring
0 siblings, 0 replies; 9+ messages in thread
From: Markus Elfring @ 2025-04-16 19:00 UTC (permalink / raw)
To: Henry Martin, linux-rdma, netdev
Cc: LKML, Amir Tzin, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Leon Romanovsky, Mark Bloch, Michal Swiatkowski,
Paolo Abeni, Saeed Mahameed, Tariq Toukan
> Add NULL check for mlx5_get_flow_namespace() returns in
> mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
> NULL pointer dereference.
* Can an other summary phrase variant become more desirable accordingly?
* Please avoid duplicate source code.
Regards,
Markus
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks
2025-04-16 12:02 ` Mark Bloch
@ 2025-04-17 15:04 ` Jakub Kicinski
2025-04-18 2:42 ` henry martin
0 siblings, 1 reply; 9+ messages in thread
From: Jakub Kicinski @ 2025-04-17 15:04 UTC (permalink / raw)
To: Mark Bloch
Cc: Henry Martin, saeedm, leon, tariqt, andrew+netdev, davem,
edumazet, pabeni, michal.swiatkowski, amirtz, netdev, linux-rdma,
linux-kernel
On Wed, 16 Apr 2025 15:02:13 +0300 Mark Bloch wrote:
> On 16/04/2025 12:22, Henry Martin wrote:
> > Relocate the memory allocation for ttc table after the switch statement
> > that validates params->ns_type in both mlx5_create_inner_ttc_table() and
> > mlx5_create_ttc_table(). This ensures memory is only allocated after
> > confirming valid input, eliminating potential memory leaks when invalid
> > ns_type cases occur.
>
> Reviewed-by: Mark Bloch <mbloch@nvidia.com>
A bit hard to see from the context but I'm guessing this fixes
a memory leak? We need a Fixes tag..
reminder: please trim your replies
--
pw-bot: cr
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks
2025-04-17 15:04 ` Jakub Kicinski
@ 2025-04-18 2:42 ` henry martin
0 siblings, 0 replies; 9+ messages in thread
From: henry martin @ 2025-04-18 2:42 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Mark Bloch, saeedm, leon, tariqt, andrew+netdev, davem, edumazet,
pabeni, michal.swiatkowski, amirtz, netdev, linux-rdma,
linux-kernel
> A bit hard to see from the context but I'm guessing this fixes
> a memory leak? We need a Fixes tag..
Thanks for the reminder. I've added the Fixes tag in v7.
Regards,
Henry
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-04-18 2:42 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
2025-04-16 19:00 ` Markus Elfring
2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
2025-04-16 11:06 ` Michal Swiatkowski
2025-04-16 12:02 ` Mark Bloch
2025-04-17 15:04 ` Jakub Kicinski
2025-04-18 2:42 ` henry martin
2025-04-16 18:38 ` [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.