* [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation
@ 2025-04-18 2:38 Henry Martin
2025-04-18 2:38 ` [PATCH v7 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Henry Martin @ 2025-04-18 2:38 UTC (permalink / raw)
To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, bsdhenrymartin, mbloch, amirtz
Cc: netdev, linux-rdma, linux-kernel
This patch series addresses two issues in the
mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() functions:
1. A potential NULL pointer dereference if mlx5_get_flow_namespace()
returns NULL.
2. A memory leak in the error path when ttc_type is invalid (default:
switch case).
Henry Martin (2):
net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
net/mlx5: Move ttc allocation after switch case to prevent leaks
.../ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 26 +++++++++++++------
1 file changed, 18 insertions(+), 8 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v7 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
2025-04-18 2:38 [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
@ 2025-04-18 2:38 ` Henry Martin
2025-04-21 9:50 ` Markus Elfring
2025-04-18 2:38 ` [PATCH v7 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Henry Martin @ 2025-04-18 2:38 UTC (permalink / raw)
To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, bsdhenrymartin, mbloch, amirtz
Cc: netdev, linux-rdma, linux-kernel, Michal Swiatkowski
Add NULL check for mlx5_get_flow_namespace() returns in
mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
NULL pointer dereference.
Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Mark Bloch <mbloch@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
---
drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
index eb3bd9c7f66e..066121fed718 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
@@ -655,6 +655,11 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
}
ns = mlx5_get_flow_namespace(dev, params->ns_type);
+ if (!ns) {
+ kvfree(ttc);
+ return ERR_PTR(-EOPNOTSUPP);
+ }
+
groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
&inner_ttc_groups[TTC_GROUPS_DEFAULT];
@@ -728,6 +733,11 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
}
ns = mlx5_get_flow_namespace(dev, params->ns_type);
+ if (!ns) {
+ kvfree(ttc);
+ return ERR_PTR(-EOPNOTSUPP);
+ }
+
groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
&ttc_groups[TTC_GROUPS_DEFAULT];
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v7 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks
2025-04-18 2:38 [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
2025-04-18 2:38 ` [PATCH v7 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
@ 2025-04-18 2:38 ` Henry Martin
2025-04-21 9:10 ` [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring
2025-04-22 9:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 6+ messages in thread
From: Henry Martin @ 2025-04-18 2:38 UTC (permalink / raw)
To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, bsdhenrymartin, mbloch, amirtz
Cc: netdev, linux-rdma, linux-kernel, Michal Swiatkowski
Relocate the memory allocation for ttc table after the switch statement
that validates params->ns_type in both mlx5_create_inner_ttc_table() and
mlx5_create_ttc_table(). This ensures memory is only allocated after
confirming valid input, eliminating potential memory leaks when invalid
ns_type cases occur.
Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Mark Bloch <mbloch@nvidia.com>
---
.../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
index 066121fed718..513dafd5ebf2 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
@@ -637,10 +637,6 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
bool use_l4_type;
int err;
- ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
- if (!ttc)
- return ERR_PTR(-ENOMEM);
-
switch (params->ns_type) {
case MLX5_FLOW_NAMESPACE_PORT_SEL:
use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
@@ -654,6 +650,10 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
return ERR_PTR(-EINVAL);
}
+ ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
+ if (!ttc)
+ return ERR_PTR(-ENOMEM);
+
ns = mlx5_get_flow_namespace(dev, params->ns_type);
if (!ns) {
kvfree(ttc);
@@ -715,10 +715,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
bool use_l4_type;
int err;
- ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
- if (!ttc)
- return ERR_PTR(-ENOMEM);
-
switch (params->ns_type) {
case MLX5_FLOW_NAMESPACE_PORT_SEL:
use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) &&
@@ -732,6 +728,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
return ERR_PTR(-EINVAL);
}
+ ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL);
+ if (!ttc)
+ return ERR_PTR(-ENOMEM);
+
ns = mlx5_get_flow_namespace(dev, params->ns_type);
if (!ns) {
kvfree(ttc);
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation
2025-04-18 2:38 [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
2025-04-18 2:38 ` [PATCH v7 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
2025-04-18 2:38 ` [PATCH v7 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
@ 2025-04-21 9:10 ` Markus Elfring
2025-04-22 9:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 6+ messages in thread
From: Markus Elfring @ 2025-04-21 9:10 UTC (permalink / raw)
To: Henry Martin, linux-rdma, netdev
Cc: LKML, Amir Tzin, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Leon Romanovsky, Mark Bloch, Michal Swiatkowski,
Paolo Abeni, Saeed Mahameed, Simon Horman, Tariq Toukan
> This patch series addresses two issues in …
Did you overlook the addition of patch version descriptions once more?
https://lore.kernel.org/all/?q=%22This+looks+like+a+new+version+of+a+previously+submitted+patch%22
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.15-rc3#n310
Regards,
Markus
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v7 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
2025-04-18 2:38 ` [PATCH v7 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
@ 2025-04-21 9:50 ` Markus Elfring
0 siblings, 0 replies; 6+ messages in thread
From: Markus Elfring @ 2025-04-21 9:50 UTC (permalink / raw)
To: Henry Martin, linux-rdma, netdev
Cc: LKML, Amir Tzin, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Leon Romanovsky, Mark Bloch, Michal Swiatkowski,
Paolo Abeni, Saeed Mahameed, Simon Horman, Tariq Toukan
> Add NULL check for mlx5_get_flow_namespace() returns in
> mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
> NULL pointer dereference.
* Can an other summary phrase variant become more desirable accordingly?
* Please avoid duplicate source code.
Regards,
Markus
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation
2025-04-18 2:38 [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
` (2 preceding siblings ...)
2025-04-21 9:10 ` [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring
@ 2025-04-22 9:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-04-22 9:10 UTC (permalink / raw)
To: henry martin
Cc: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, mbloch, amirtz, netdev, linux-rdma, linux-kernel
Hello:
This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Fri, 18 Apr 2025 10:38:12 +0800 you wrote:
> This patch series addresses two issues in the
> mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() functions:
>
> 1. A potential NULL pointer dereference if mlx5_get_flow_namespace()
> returns NULL.
>
> 2. A memory leak in the error path when ttc_type is invalid (default:
> switch case).
>
> [...]
Here is the summary with links:
- [v7,1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
https://git.kernel.org/netdev/net/c/91037037ee3d
- [v7,2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks
https://git.kernel.org/netdev/net/c/fa8fd315127c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-04-22 9:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-18 2:38 [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
2025-04-18 2:38 ` [PATCH v7 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
2025-04-21 9:50 ` Markus Elfring
2025-04-18 2:38 ` [PATCH v7 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
2025-04-21 9:10 ` [PATCH v7 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring
2025-04-22 9:10 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox