From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kris Van Hees <kris.van.hees@oracle.com>
Subject: Potential memory leak in htab_map_update_elem?
Date: Fri, 11 Jan 2019 00:08:04 -0500
Message-ID: <20190111050804.GB11821@oracle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
To: netdev@vger.kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from userp2130.oracle.com ([156.151.31.86]:55890 "EHLO
        userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729072AbfAKFIJ (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 11 Jan 2019 00:08:09 -0500
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1])
        by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id x0B54Wp2160331
        for <netdev@vger.kernel.org>; Fri, 11 Jan 2019 05:08:08 GMT
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
        by userp2130.oracle.com with ESMTP id 2ptm0ujw00-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
        for <netdev@vger.kernel.org>; Fri, 11 Jan 2019 05:08:08 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x0B587Vh005736
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
        for <netdev@vger.kernel.org>; Fri, 11 Jan 2019 05:08:07 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x0B586iG025889
        for <netdev@vger.kernel.org>; Fri, 11 Jan 2019 05:08:07 GMT
Content-Disposition: inline
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Maybe I am missing something trivial here, but it looks to me that there is
a leak of htab elements in htab_map_update_elem when you are updating an
existing element.  After the new element is linked into the bucket list, the
following code snippet is found:

        if (l_old) {
                hlist_nulls_del_rcu(&l_old->hash_node);
                if (!htab_is_prealloc(htab))
                        free_htab_elem(htab, l_old);
        }

Nothing is done with l_old in the remainder of the function, and to me this
looks like that element is be leaked if the htab is preallocated because we
never add it to the free list.  In fact, free_htab_elem() contains the very
conditional that handles the two cases (preallocated vs non-preallocated.

	Cheers,
	Kris