* [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation
@ 2025-04-16 9:22 Henry Martin
2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Henry Martin @ 2025-04-16 9:22 UTC (permalink / raw)
To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba,
pabeni, bsdhenrymartin, mbloch, michal.swiatkowski, amirtz
Cc: netdev, linux-rdma, linux-kernel
This patch series addresses two issues in the
mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() functions:
1. A potential NULL pointer dereference if mlx5_get_flow_namespace()
returns NULL.
2. A memory leak in the error path when ttc_type is invalid (default:
switch case).
Henry Martin (2):
net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
net/mlx5: Move ttc allocation after switch case to prevent leaks
.../ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 26 +++++++++++++------
1 file changed, 18 insertions(+), 8 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 9+ messages in thread* [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() 2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin @ 2025-04-16 9:22 ` Henry Martin 2025-04-16 19:00 ` Markus Elfring 2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin 2025-04-16 18:38 ` [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring 2 siblings, 1 reply; 9+ messages in thread From: Henry Martin @ 2025-04-16 9:22 UTC (permalink / raw) To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba, pabeni, bsdhenrymartin, mbloch, michal.swiatkowski, amirtz Cc: netdev, linux-rdma, linux-kernel Add NULL check for mlx5_get_flow_namespace() returns in mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent NULL pointer dereference. Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table") Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com> Reviewed-by: Mark Bloch <mbloch@nvidia.com> Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com> --- drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c index eb3bd9c7f66e..066121fed718 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c @@ -655,6 +655,11 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, } ns = mlx5_get_flow_namespace(dev, params->ns_type); + if (!ns) { + kvfree(ttc); + return ERR_PTR(-EOPNOTSUPP); + } + groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] : &inner_ttc_groups[TTC_GROUPS_DEFAULT]; @@ -728,6 +733,11 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, } ns = mlx5_get_flow_namespace(dev, params->ns_type); + if (!ns) { + kvfree(ttc); + return ERR_PTR(-EOPNOTSUPP); + } + groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] : &ttc_groups[TTC_GROUPS_DEFAULT]; -- 2.34.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() 2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin @ 2025-04-16 19:00 ` Markus Elfring 0 siblings, 0 replies; 9+ messages in thread From: Markus Elfring @ 2025-04-16 19:00 UTC (permalink / raw) To: Henry Martin, linux-rdma, netdev Cc: LKML, Amir Tzin, Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski, Leon Romanovsky, Mark Bloch, Michal Swiatkowski, Paolo Abeni, Saeed Mahameed, Tariq Toukan > Add NULL check for mlx5_get_flow_namespace() returns in > mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent > NULL pointer dereference. * Can an other summary phrase variant become more desirable accordingly? * Please avoid duplicate source code. Regards, Markus ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks 2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin 2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin @ 2025-04-16 9:22 ` Henry Martin 2025-04-16 11:06 ` Michal Swiatkowski 2025-04-16 12:02 ` Mark Bloch 2025-04-16 18:38 ` [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring 2 siblings, 2 replies; 9+ messages in thread From: Henry Martin @ 2025-04-16 9:22 UTC (permalink / raw) To: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba, pabeni, bsdhenrymartin, mbloch, michal.swiatkowski, amirtz Cc: netdev, linux-rdma, linux-kernel Relocate the memory allocation for ttc table after the switch statement that validates params->ns_type in both mlx5_create_inner_ttc_table() and mlx5_create_ttc_table(). This ensures memory is only allocated after confirming valid input, eliminating potential memory leaks when invalid ns_type cases occur. Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com> --- .../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c index 066121fed718..513dafd5ebf2 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c @@ -637,10 +637,6 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, bool use_l4_type; int err; - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); - if (!ttc) - return ERR_PTR(-ENOMEM); - switch (params->ns_type) { case MLX5_FLOW_NAMESPACE_PORT_SEL: use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) && @@ -654,6 +650,10 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, return ERR_PTR(-EINVAL); } + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); + if (!ttc) + return ERR_PTR(-ENOMEM); + ns = mlx5_get_flow_namespace(dev, params->ns_type); if (!ns) { kvfree(ttc); @@ -715,10 +715,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, bool use_l4_type; int err; - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); - if (!ttc) - return ERR_PTR(-ENOMEM); - switch (params->ns_type) { case MLX5_FLOW_NAMESPACE_PORT_SEL: use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) && @@ -732,6 +728,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, return ERR_PTR(-EINVAL); } + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); + if (!ttc) + return ERR_PTR(-ENOMEM); + ns = mlx5_get_flow_namespace(dev, params->ns_type); if (!ns) { kvfree(ttc); -- 2.34.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks 2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin @ 2025-04-16 11:06 ` Michal Swiatkowski 2025-04-16 12:02 ` Mark Bloch 1 sibling, 0 replies; 9+ messages in thread From: Michal Swiatkowski @ 2025-04-16 11:06 UTC (permalink / raw) To: Henry Martin Cc: saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba, pabeni, mbloch, michal.swiatkowski, amirtz, netdev, linux-rdma, linux-kernel On Wed, Apr 16, 2025 at 05:22:43PM +0800, Henry Martin wrote: > Relocate the memory allocation for ttc table after the switch statement > that validates params->ns_type in both mlx5_create_inner_ttc_table() and > mlx5_create_ttc_table(). This ensures memory is only allocated after > confirming valid input, eliminating potential memory leaks when invalid > ns_type cases occur. > > Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com> > --- > .../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 16 ++++++++-------- > 1 file changed, 8 insertions(+), 8 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > index 066121fed718..513dafd5ebf2 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > @@ -637,10 +637,6 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, > bool use_l4_type; > int err; > > - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > - if (!ttc) > - return ERR_PTR(-ENOMEM); > - > switch (params->ns_type) { > case MLX5_FLOW_NAMESPACE_PORT_SEL: > use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) && > @@ -654,6 +650,10 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, > return ERR_PTR(-EINVAL); > } > > + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > + if (!ttc) > + return ERR_PTR(-ENOMEM); > + > ns = mlx5_get_flow_namespace(dev, params->ns_type); > if (!ns) { > kvfree(ttc); > @@ -715,10 +715,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, > bool use_l4_type; > int err; > > - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > - if (!ttc) > - return ERR_PTR(-ENOMEM); > - > switch (params->ns_type) { > case MLX5_FLOW_NAMESPACE_PORT_SEL: > use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) && > @@ -732,6 +728,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, > return ERR_PTR(-EINVAL); > } > > + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > + if (!ttc) > + return ERR_PTR(-ENOMEM); > + > ns = mlx5_get_flow_namespace(dev, params->ns_type); > if (!ns) { > kvfree(ttc); Thanks for fixing Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com> > -- > 2.34.1 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks 2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin 2025-04-16 11:06 ` Michal Swiatkowski @ 2025-04-16 12:02 ` Mark Bloch 2025-04-17 15:04 ` Jakub Kicinski 1 sibling, 1 reply; 9+ messages in thread From: Mark Bloch @ 2025-04-16 12:02 UTC (permalink / raw) To: Henry Martin, saeedm, leon, tariqt, andrew+netdev, davem, edumazet, kuba, pabeni, michal.swiatkowski, amirtz Cc: netdev, linux-rdma, linux-kernel On 16/04/2025 12:22, Henry Martin wrote: > Relocate the memory allocation for ttc table after the switch statement > that validates params->ns_type in both mlx5_create_inner_ttc_table() and > mlx5_create_ttc_table(). This ensures memory is only allocated after > confirming valid input, eliminating potential memory leaks when invalid > ns_type cases occur. > > Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com> > --- > .../net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 16 ++++++++-------- > 1 file changed, 8 insertions(+), 8 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > index 066121fed718..513dafd5ebf2 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c > @@ -637,10 +637,6 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, > bool use_l4_type; > int err; > > - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > - if (!ttc) > - return ERR_PTR(-ENOMEM); > - > switch (params->ns_type) { > case MLX5_FLOW_NAMESPACE_PORT_SEL: > use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) && > @@ -654,6 +650,10 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev, > return ERR_PTR(-EINVAL); > } > > + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > + if (!ttc) > + return ERR_PTR(-ENOMEM); > + > ns = mlx5_get_flow_namespace(dev, params->ns_type); > if (!ns) { > kvfree(ttc); > @@ -715,10 +715,6 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, > bool use_l4_type; > int err; > > - ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > - if (!ttc) > - return ERR_PTR(-ENOMEM); > - > switch (params->ns_type) { > case MLX5_FLOW_NAMESPACE_PORT_SEL: > use_l4_type = MLX5_CAP_GEN_2(dev, pcc_ifa2) && > @@ -732,6 +728,10 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev, > return ERR_PTR(-EINVAL); > } > > + ttc = kvzalloc(sizeof(*ttc), GFP_KERNEL); > + if (!ttc) > + return ERR_PTR(-ENOMEM); > + > ns = mlx5_get_flow_namespace(dev, params->ns_type); > if (!ns) { > kvfree(ttc); Reviewed-by: Mark Bloch <mbloch@nvidia.com> Mark ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks 2025-04-16 12:02 ` Mark Bloch @ 2025-04-17 15:04 ` Jakub Kicinski 2025-04-18 2:42 ` henry martin 0 siblings, 1 reply; 9+ messages in thread From: Jakub Kicinski @ 2025-04-17 15:04 UTC (permalink / raw) To: Mark Bloch Cc: Henry Martin, saeedm, leon, tariqt, andrew+netdev, davem, edumazet, pabeni, michal.swiatkowski, amirtz, netdev, linux-rdma, linux-kernel On Wed, 16 Apr 2025 15:02:13 +0300 Mark Bloch wrote: > On 16/04/2025 12:22, Henry Martin wrote: > > Relocate the memory allocation for ttc table after the switch statement > > that validates params->ns_type in both mlx5_create_inner_ttc_table() and > > mlx5_create_ttc_table(). This ensures memory is only allocated after > > confirming valid input, eliminating potential memory leaks when invalid > > ns_type cases occur. > > Reviewed-by: Mark Bloch <mbloch@nvidia.com> A bit hard to see from the context but I'm guessing this fixes a memory leak? We need a Fixes tag.. reminder: please trim your replies -- pw-bot: cr ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks 2025-04-17 15:04 ` Jakub Kicinski @ 2025-04-18 2:42 ` henry martin 0 siblings, 0 replies; 9+ messages in thread From: henry martin @ 2025-04-18 2:42 UTC (permalink / raw) To: Jakub Kicinski Cc: Mark Bloch, saeedm, leon, tariqt, andrew+netdev, davem, edumazet, pabeni, michal.swiatkowski, amirtz, netdev, linux-rdma, linux-kernel > A bit hard to see from the context but I'm guessing this fixes > a memory leak? We need a Fixes tag.. Thanks for the reminder. I've added the Fixes tag in v7. Regards, Henry ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation 2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin 2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin 2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin @ 2025-04-16 18:38 ` Markus Elfring 2 siblings, 0 replies; 9+ messages in thread From: Markus Elfring @ 2025-04-16 18:38 UTC (permalink / raw) To: Henry Martin, linux-rdma, netdev Cc: LKML, Amir Tzin, Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski, Leon Romanovsky, Mark Bloch, Michal Swiatkowski, Paolo Abeni, Saeed Mahameed, Tariq Toukan > This patch series addresses two issues in … It would have been helpful to extend patch version descriptions accordingly. https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.15-rc2#n310 Regards, Markus ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-04-18 2:42 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-16 9:22 [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Henry Martin
2025-04-16 9:22 ` [PATCH v6 1/2] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Henry Martin
2025-04-16 19:00 ` Markus Elfring
2025-04-16 9:22 ` [PATCH v6 2/2] net/mlx5: Move ttc allocation after switch case to prevent leaks Henry Martin
2025-04-16 11:06 ` Michal Swiatkowski
2025-04-16 12:02 ` Mark Bloch
2025-04-17 15:04 ` Jakub Kicinski
2025-04-18 2:42 ` henry martin
2025-04-16 18:38 ` [PATCH v6 0/2] net/mlx5: Fix NULL dereference and memory leak in ttc_table creation Markus Elfring
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).