From: Dan Carpenter <dan.carpenter@oracle.com>
To: vladbu@mellanox.com
Cc: linux-rdma@vger.kernel.org
Subject: [bug report] net/mlx5e: Extend encap entry with reference counter
Date: Wed, 14 Aug 2019 13:53:02 +0300 [thread overview]
Message-ID: <20190814105302.GA14514@mwanda> (raw)
[ I already wrote this email, but it looks like I deleted it instead of
sending it. So weird. I hopefully don't send it twice! ]
Hi Vlad,
I noticed a possible refcounting bug in commit 948993f2beeb ("net/mlx5e:
Extend encap entry with reference counter") from Jun 3, 2018.
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:1435 mlx5e_tc_update_neigh_used_value()
error: dereferencing freed memory 'e'
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
1415 void mlx5e_tc_update_neigh_used_value(struct mlx5e_neigh_hash_entry *nhe)
1416 {
1417 struct mlx5e_neigh *m_neigh = &nhe->m_neigh;
1418 struct mlx5e_tc_flow *flow;
1419 struct mlx5e_encap_entry *e;
1420 struct mlx5_fc *counter;
1421 struct neigh_table *tbl;
1422 bool neigh_used = false;
1423 struct neighbour *n;
1424 u64 lastuse;
1425
1426 if (m_neigh->family == AF_INET)
1427 tbl = &arp_tbl;
1428 #if IS_ENABLED(CONFIG_IPV6)
1429 else if (m_neigh->family == AF_INET6)
1430 tbl = &nd_tbl;
1431 #endif
1432 else
1433 return;
1434
1435 list_for_each_entry_safe(e, tmp, &nhe->encap_list, encap_list) {
1436 struct encap_flow_item *efi, *tmp;
1437
1438 if (!(e->flags & MLX5_ENCAP_ENTRY_VALID) ||
1439 !mlx5e_encap_take(e))
^^^^^^^^^^^^^^^^^^^
We take a reference here.
1440 continue;
1441
1442 list_for_each_entry_safe(efi, tmp, &e->flows, list) {
1443 flow = container_of(efi, struct mlx5e_tc_flow,
1444 encaps[efi->index]);
1445 if (IS_ERR(mlx5e_flow_get(flow)))
1446 continue;
1447
1448 if (mlx5e_is_offloaded_flow(flow)) {
1449 counter = mlx5e_tc_get_counter(flow);
1450 lastuse = mlx5_fc_query_lastuse(counter);
1451 if (time_after((unsigned long)lastuse, nhe->reported_lastuse)) {
1452 mlx5e_flow_put(netdev_priv(e->out_dev), flow);
1453 neigh_used = true;
1454 break;
I think we need to call mlx5e_encap_put(netdev_priv(e->out_dev), e);
before this break;
1455 }
1456 }
1457
1458 mlx5e_flow_put(netdev_priv(e->out_dev), flow);
1459 }
1460
1461 mlx5e_encap_put(netdev_priv(e->out_dev), e);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1462 if (neigh_used)
1463 break;
1464 }
1465
regards,
dan carpenter
next reply other threads:[~2019-08-14 10:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 10:53 Dan Carpenter [this message]
2019-08-14 13:49 ` [bug report] net/mlx5e: Extend encap entry with reference counter Vlad Buslov
2019-08-14 14:00 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190814105302.GA14514@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-rdma@vger.kernel.org \
--cc=vladbu@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox