[PATCH v5 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation

[PATCH v5 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation

[Henry Martin]

This patch series addresses two issues in the
mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() functions:

1. A potential NULL pointer dereference if mlx5_get_flow_namespace()
returns NULL.

2. A memory leak in the error path when ttc_type is invalid (default:
switch case).

Henry Martin (2):
  net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
  net/mlx5: Fix memory leak in error path of ttc creation

 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

-- 
2.34.1

[PATCH v5 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()

[Henry Martin]

Add NULL check for mlx5_get_flow_namespace() returns in
mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
NULL pointer dereference.

Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
index eb3bd9c7f66e..e48afd620d7e 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
@@ -655,6 +655,11 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
 	}
 
 	ns = mlx5_get_flow_namespace(dev, params->ns_type);
+	if (!ns) {
+		kvfree(ttc);
+		return ERR_PTR(-EOPNOTSUPP);
+	}
+
 	groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
 			       &inner_ttc_groups[TTC_GROUPS_DEFAULT];
 
@@ -728,6 +733,11 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
 	}
 
 	ns = mlx5_get_flow_namespace(dev, params->ns_type);
+	if (!ns) {
+		kvfree(ttc);
+		return ERR_PTR(-EOPNOTSUPP);
+	}
+
 	groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
 			       &ttc_groups[TTC_GROUPS_DEFAULT];
 
-- 
2.34.1

Re: [PATCH v5 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()

[Mark Bloch]

On 15/04/2025 15:41, Henry Martin wrote:
> Add NULL check for mlx5_get_flow_namespace() returns in
> mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
> NULL pointer dereference.
> 
> Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
> Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> index eb3bd9c7f66e..e48afd620d7e 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> @@ -655,6 +655,11 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
>  	}
>  
>  	ns = mlx5_get_flow_namespace(dev, params->ns_type);
> +	if (!ns) {
> +		kvfree(ttc);
> +		return ERR_PTR(-EOPNOTSUPP);
> +	}
> +
>  	groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
>  			       &inner_ttc_groups[TTC_GROUPS_DEFAULT];
>  
> @@ -728,6 +733,11 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
>  	}
>  
>  	ns = mlx5_get_flow_namespace(dev, params->ns_type);
> +	if (!ns) {
> +		kvfree(ttc);
> +		return ERR_PTR(-EOPNOTSUPP);
> +	}
> +
>  	groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
>  			       &ttc_groups[TTC_GROUPS_DEFAULT];
>  

Reviewed-by: Mark Bloch <mbloch@nvidia.com>

Mark

Re: [PATCH v5 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()

[Tariq Toukan]

On 15/04/2025 16:45, Mark Bloch wrote:
> 
> 
> On 15/04/2025 15:41, Henry Martin wrote:
>> Add NULL check for mlx5_get_flow_namespace() returns in
>> mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
>> NULL pointer dereference.
>>
>> Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
>> Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
>> ---
>>   drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 10 ++++++++++
>>   1 file changed, 10 insertions(+)
>>
>> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
>> index eb3bd9c7f66e..e48afd620d7e 100644
>> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
>> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
>> @@ -655,6 +655,11 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
>>   	}
>>   
>>   	ns = mlx5_get_flow_namespace(dev, params->ns_type);
>> +	if (!ns) {
>> +		kvfree(ttc);
>> +		return ERR_PTR(-EOPNOTSUPP);
>> +	}
>> +
>>   	groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
>>   			       &inner_ttc_groups[TTC_GROUPS_DEFAULT];
>>   
>> @@ -728,6 +733,11 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
>>   	}
>>   
>>   	ns = mlx5_get_flow_namespace(dev, params->ns_type);
>> +	if (!ns) {
>> +		kvfree(ttc);
>> +		return ERR_PTR(-EOPNOTSUPP);
>> +	}
>> +
>>   	groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
>>   			       &ttc_groups[TTC_GROUPS_DEFAULT];
>>   
> 
> Reviewed-by: Mark Bloch <mbloch@nvidia.com>
> 
> Mark
> 

netdev maintainers,

Note that Mark is covering me while I'm on vacation (for the coming ~10 
days). Please accordingly honor his submissions and replies for mlx5 
content.

In case this mail notification is not sufficient, please let us know 
what extra action is required.

Happy Holidays,
Tariq

[PATCH v5 2/2] net/mlx5: Fix memory leak in error path of ttc creation

[Henry Martin]

Free ttc table memory when unsupported ttc_type is passed, to avoid
memory leak on the default error path in mlx5_create_inner_ttc_table()
and mlx5_create_ttc_table().

Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
index e48afd620d7e..077fe908bf86 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
@@ -651,6 +651,7 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
 			MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(dev, inner_l4_type);
 		break;
 	default:
+		kvfree(ttc);
 		return ERR_PTR(-EINVAL);
 	}
 
@@ -729,6 +730,7 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
 			MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(dev, outer_l4_type);
 		break;
 	default:
+		kvfree(ttc);
 		return ERR_PTR(-EINVAL);
 	}
 
-- 
2.34.1

Re: [PATCH v5 2/2] net/mlx5: Fix memory leak in error path of ttc creation

[Mark Bloch]

On 15/04/2025 15:41, Henry Martin wrote:
> Free ttc table memory when unsupported ttc_type is passed, to avoid
> memory leak on the default error path in mlx5_create_inner_ttc_table()
> and mlx5_create_ttc_table().
> 
> Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
> Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> index e48afd620d7e..077fe908bf86 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> @@ -651,6 +651,7 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
>  			MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(dev, inner_l4_type);
>  		break;
>  	default:
> +		kvfree(ttc);
>  		return ERR_PTR(-EINVAL);
>  	}
>  
> @@ -729,6 +730,7 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
>  			MLX5_CAP_NIC_RX_FT_FIELD_SUPPORT_2(dev, outer_l4_type);
>  		break;
>  	default:
> +		kvfree(ttc);
>  		return ERR_PTR(-EINVAL);
>  	}
>  

What about just moving the ttc allocation after the switch case?

Mark

Re: [PATCH v5 2/2] net/mlx5: Fix memory leak in error path of ttc creation

[henry martin]

> What about just moving the ttc allocation after the switch case?

Thanks for the suggestion. Moving the allocation after the switch statement is
indeed a cleaner approach.