From: Nicolai Buchwitz <nb@tipi-net.de>
To: "Alexander A. Klimov" <grandmaster@al2klimov.de>
Cc: Haren Myneni <haren@linux.ibm.com>,
Rick Lindsley <ricklind@linux.ibm.com>,
Nick Child <nnac123@linux.ibm.com>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Thomas Falcon <tlfalcon@linux.vnet.ibm.com>,
Desnes Augusto Nunes do Rosario <desnesn@linux.vnet.ibm.com>,
netdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ibmvnic: fix krealloc() memory leak
Date: Tue, 26 May 2026 22:50:20 +0200 [thread overview]
Message-ID: <fc74cefb2e0167514f1c3c0c3d6133ec@tipi-net.de> (raw)
In-Reply-To: <20260526184105.18962-6-grandmaster@al2klimov.de>
Hi Alex
You patch is missing the prefix with the target tree. Please have
a look at [1] for more details on the workflow.
On 26.5.2026 20:41, Alexander A. Klimov wrote:
> Don't just overwrite the original pointer passed to krealloc()
> with its return value without checking latter:
>
> MEM = krealloc(MEM, SZ, GFP);
>
> If krealloc() returns NULL, that erases the pointer
> to the still allocated memory, hence leaks this memory.
> Instead, use a temporary variable, check it's not NULL
> and only then assign it to the original pointer:
>
> TMP = krealloc(MEM, SZ, GFP);
> if (!TMP) return;
> MEM = TMP;
>
> Fixes: 4e6759be28e4 ("ibmvnic: Feature implementation of Vital Product
> Data (VPD) for the ibmvnic driver")
> Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
> ---
> drivers/net/ethernet/ibm/ibmvnic.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/ethernet/ibm/ibmvnic.c
> b/drivers/net/ethernet/ibm/ibmvnic.c
> index 5a510eed335e..25d1d844ad19 100644
> --- a/drivers/net/ethernet/ibm/ibmvnic.c
> +++ b/drivers/net/ethernet/ibm/ibmvnic.c
> @@ -1761,8 +1761,9 @@ static int ibmvnic_get_vpd(struct ibmvnic_adapter
> *adapter)
> union ibmvnic_crq crq;
> int len = 0;
> int rc;
> + unsigned char *buff = adapter->vpd->buff;
Should be reverse x-mas tree (longest to shortest).
>
> - if (adapter->vpd->buff)
> + if (buff)
> len = adapter->vpd->len;
>
> mutex_lock(&adapter->fw_lock);
> @@ -1788,17 +1789,17 @@ static int ibmvnic_get_vpd(struct
> ibmvnic_adapter *adapter)
> if (!adapter->vpd->len)
> return -ENODATA;
>
> - if (!adapter->vpd->buff)
> - adapter->vpd->buff = kzalloc(adapter->vpd->len, GFP_KERNEL);
> + if (!buff)
> + buff = kzalloc(adapter->vpd->len, GFP_KERNEL);
> else if (adapter->vpd->len != len)
> - adapter->vpd->buff =
> - krealloc(adapter->vpd->buff,
> - adapter->vpd->len, GFP_KERNEL);
> + buff = krealloc(buff,
> + adapter->vpd->len, GFP_KERNEL);
Dead branch? The only caller, init_resources(), kzalloc()s a fresh vpd
right before, and resets run release_vpd_data() first, so vpd->buff is
always NULL here and kzalloc() above always wins. The leak can't
trigger,
which makes the Fixes tag misleading.
>
> - if (!adapter->vpd->buff) {
> + if (!buff) {
> dev_err(dev, "Could allocate VPD buffer\n");
> return -ENOMEM;
> }
> + adapter->vpd->buff = buff;
If you keep it anyway: on failure the old buffer stays in vpd->buff
while
vpd->len is already the new size, a mismatch the original avoided by
NULLing. kfree() it (krealloc() does not free on failure) and NULL
before
-ENOMEM.
>
> adapter->vpd->dma_addr =
> dma_map_single(dev, adapter->vpd->buff, adapter->vpd->len,
[1] https://docs.kernel.org/process/maintainer-netdev.html
Thanks,
Nicolai
next prev parent reply other threads:[~2026-05-26 23:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260526184105.18962-1-grandmaster@al2klimov.de>
2026-05-26 18:41 ` [PATCH] ibmvnic: fix krealloc() memory leak Alexander A. Klimov
2026-05-26 20:50 ` Nicolai Buchwitz [this message]
2026-05-27 17:22 ` Alexander A. Klimov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fc74cefb2e0167514f1c3c0c3d6133ec@tipi-net.de \
--to=nb@tipi-net.de \
--cc=andrew+netdev@lunn.ch \
--cc=chleroy@kernel.org \
--cc=davem@davemloft.net \
--cc=desnesn@linux.vnet.ibm.com \
--cc=edumazet@google.com \
--cc=grandmaster@al2klimov.de \
--cc=haren@linux.ibm.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=netdev@vger.kernel.org \
--cc=nnac123@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=pabeni@redhat.com \
--cc=ricklind@linux.ibm.com \
--cc=tlfalcon@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox