[PATCH net v3 0/3] net: liquidio: Fix memory leaks in setup_nic_devices()

[PATCH net v3 0/3] net: liquidio: Fix memory leaks in setup_nic_devices()

[Zilin Guan]

This series fixes memory leaks in the initialization paths of the 
NIC devices.

Patch 1 fixes an off-by-one error in the PF cleanup loop. It ensures
the current device index is cleaned up and correctly handles the 
post-loop devlink_alloc failure case.

Patch 2 fixes the same off-by-one error in the VF cleanup loop.

Patch 3 moves the initialization of oct->props[i].netdev before queue 
setup calls. This ensures that if queue setup fails, the cleanup function 
can find and free the allocated netdev. It also initializes lio->oct_dev 
early to prevent a crash in the cleanup path.

Signed-off-by: Zilin Guan <zilin@seu.edu.cn>

Changes in v3:
- Split the off-by-one fix into separate patches for PF and VF.
- Patch 1: Decrement i in the devlink_alloc error path before jumping
  to cleanup to avoid accessing an invalid index.
- Patch 3: Initialize lio->oct_dev alongside props->netdev to prevent 
  NULL pointer dereference in cleanup_rx_oom_poll_fn().

Changes in v2:
- Add patch 1 to fix an off-by-one error in the error handling loop logic.

Zilin Guan (3):
  net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
  net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
  net: liquidio: Initialize netdev pointer before queue setup

 .../net/ethernet/cavium/liquidio/lio_main.c   | 38 ++++++++++---------
 .../ethernet/cavium/liquidio/lio_vf_main.c    |  3 +-
 2 files changed, 22 insertions(+), 19 deletions(-)

-- 
2.34.1

[PATCH net v3 1/3] net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup

[Zilin Guan]

In setup_nic_devices(), the initialization loop jumps to the label
setup_nic_dev_free on failure. The current cleanup loop while(i--)
skip the failing index i, causing a memory leak.

Fix this by changing the loop to iterate from the current index i
down to 0.

Also, decrement i in the devlink_alloc failure path to point to the
last successfully allocated index.

Compile tested only. Issue found using code review.

Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters")
Suggested-by: Simon Horman <horms@kernel.org>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
---
 drivers/net/ethernet/cavium/liquidio/lio_main.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
index 0732440eeacd..e9a728997689 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
@@ -3750,6 +3750,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
 	if (!devlink) {
 		device_unlock(&octeon_dev->pci_dev->dev);
 		dev_err(&octeon_dev->pci_dev->dev, "devlink alloc failed\n");
+		i--;
 		goto setup_nic_dev_free;
 	}
 
@@ -3765,10 +3766,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
 
 setup_nic_dev_free:
 
-	while (i--) {
+	while (i >= 0) {
 		dev_err(&octeon_dev->pci_dev->dev,
 			"NIC ifidx:%d Setup failed\n", i);
 		liquidio_destroy_nic_device(octeon_dev, i);
+		i--;
 	}
 
 setup_nic_dev_done:
-- 
2.34.1

[PATCH net v3 2/3] net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup

[Zilin Guan]

In setup_nic_devices(), the initialization loop jumps to the label
setup_nic_dev_free on failure. The current cleanup loop while(i--)
skip the failing index i, causing a memory leak.

Fix this by changing the loop to iterate from the current index i
down to 0.

Compile tested only. Issue found using code review.

Fixes: 846b46873eeb ("liquidio CN23XX: VF offload features")
Suggested-by: Simon Horman <horms@kernel.org>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
---
 drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c
index e02942dbbcce..050f9feb0b4a 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c
@@ -2212,10 +2212,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
 
 setup_nic_dev_free:
 
-	while (i--) {
+	while (i >= 0) {
 		dev_err(&octeon_dev->pci_dev->dev,
 			"NIC ifidx:%d Setup failed\n", i);
 		liquidio_destroy_nic_device(octeon_dev, i);
+		i--;
 	}
 
 setup_nic_dev_done:
-- 
2.34.1

[PATCH net v3 3/3] net: liquidio: Initialize netdev pointer before queue setup

[Zilin Guan]

In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().
However, the pointer to this structure is stored in oct->props[i].netdev
only after the calls to netif_set_real_num_rx_queues() and
netif_set_real_num_tx_queues().

If either of these functions fails, setup_nic_devices() returns an error
without freeing the allocated netdev. Since oct->props[i].netdev is still
NULL at this point, the cleanup function liquidio_destroy_nic_device()
will fail to find and free the netdev, resulting in a memory leak.

Fix this by initializing oct->props[i].netdev before calling the queue
setup functions. This ensures that the netdev is properly accessible for
cleanup in case of errors.

Compile tested only. Issue found using a prototype static analysis tool
and code review.

Fixes: c33c997346c3 ("liquidio: enhanced ethtool --set-channels feature")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
---
 .../net/ethernet/cavium/liquidio/lio_main.c   | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
index e9a728997689..6c954f740073 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
@@ -3505,6 +3505,23 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
 		 */
 		netdev->netdev_ops = &lionetdevops;
 
+		lio = GET_LIO(netdev);
+
+		memset(lio, 0, sizeof(struct lio));
+
+		lio->ifidx = ifidx_or_pfnum;
+
+		props = &octeon_dev->props[i];
+		props->gmxport = resp->cfg_info.linfo.gmxport;
+		props->netdev = netdev;
+
+		/* Point to the  properties for octeon device to which this
+		 * interface belongs.
+		 */
+		lio->oct_dev = octeon_dev;
+		lio->octprops = props;
+		lio->netdev = netdev;
+
 		retval = netif_set_real_num_rx_queues(netdev, num_oqueues);
 		if (retval) {
 			dev_err(&octeon_dev->pci_dev->dev,
@@ -3521,16 +3538,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
 			goto setup_nic_dev_free;
 		}
 
-		lio = GET_LIO(netdev);
-
-		memset(lio, 0, sizeof(struct lio));
-
-		lio->ifidx = ifidx_or_pfnum;
-
-		props = &octeon_dev->props[i];
-		props->gmxport = resp->cfg_info.linfo.gmxport;
-		props->netdev = netdev;
-
 		lio->linfo.num_rxpciq = num_oqueues;
 		lio->linfo.num_txpciq = num_iqueues;
 		for (j = 0; j < num_oqueues; j++) {
@@ -3596,13 +3603,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
 		netdev->min_mtu = LIO_MIN_MTU_SIZE;
 		netdev->max_mtu = LIO_MAX_MTU_SIZE;
 
-		/* Point to the  properties for octeon device to which this
-		 * interface belongs.
-		 */
-		lio->oct_dev = octeon_dev;
-		lio->octprops = props;
-		lio->netdev = netdev;
-
 		dev_dbg(&octeon_dev->pci_dev->dev,
 			"if%d gmx: %d hw_addr: 0x%llx\n", i,
 			lio->linfo.gmxport, CVM_CAST64(lio->linfo.hw_addr));
-- 
2.34.1

Re: [PATCH net v3 1/3] net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup

[Kory Maincent]

On Tue, 27 Jan 2026 15:12:39 +0000
Zilin Guan <zilin@seu.edu.cn> wrote:

> In setup_nic_devices(), the initialization loop jumps to the label
> setup_nic_dev_free on failure. The current cleanup loop while(i--)
> skip the failing index i, causing a memory leak.
> 
> Fix this by changing the loop to iterate from the current index i
> down to 0.
> 
> Also, decrement i in the devlink_alloc failure path to point to the
> last successfully allocated index.
> 
> Compile tested only. Issue found using code review.

Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>

Thank you!
-- 
Köry Maincent, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com

Re: [PATCH net v3 2/3] net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup

[Kory Maincent]

On Tue, 27 Jan 2026 15:12:40 +0000
Zilin Guan <zilin@seu.edu.cn> wrote:

> In setup_nic_devices(), the initialization loop jumps to the label
> setup_nic_dev_free on failure. The current cleanup loop while(i--)
> skip the failing index i, causing a memory leak.
> 
> Fix this by changing the loop to iterate from the current index i
> down to 0.
> 
> Compile tested only. Issue found using code review.

Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>

Thank you!
-- 
Köry Maincent, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com

Re: [PATCH net v3 3/3] net: liquidio: Initialize netdev pointer before queue setup

[Kory Maincent]

On Tue, 27 Jan 2026 15:12:41 +0000
Zilin Guan <zilin@seu.edu.cn> wrote:

> In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().
> However, the pointer to this structure is stored in oct->props[i].netdev
> only after the calls to netif_set_real_num_rx_queues() and
> netif_set_real_num_tx_queues().
> 
> If either of these functions fails, setup_nic_devices() returns an error
> without freeing the allocated netdev. Since oct->props[i].netdev is still
> NULL at this point, the cleanup function liquidio_destroy_nic_device()
> will fail to find and free the netdev, resulting in a memory leak.
> 
> Fix this by initializing oct->props[i].netdev before calling the queue
> setup functions. This ensures that the netdev is properly accessible for
> cleanup in case of errors.
> 
> Compile tested only. Issue found using a prototype static analysis tool
> and code review.

I think this patch should be moved before patch 1.
Thanks to Patch 1 we are now cleaning the failing index, but we could face
dereference NULL pointer if we are failing in one of those
netif_set_real_num_rx_queues() and netif_set_real_num_tx_queues() functions.

With this patch moved:
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>

Thank you!
-- 
Köry Maincent, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com

Re: [PATCH net v3 0/3] net: liquidio: Fix memory leaks in setup_nic_devices()

[Jakub Kicinski]

On Tue, 27 Jan 2026 15:12:38 +0000 Zilin Guan wrote:
> This series fixes memory leaks in the initialization paths of the 
> NIC devices.
> 
> Patch 1 fixes an off-by-one error in the PF cleanup loop. It ensures
> the current device index is cleaned up and correctly handles the 
> post-loop devlink_alloc failure case.
> 
> Patch 2 fixes the same off-by-one error in the VF cleanup loop.
> 
> Patch 3 moves the initialization of oct->props[i].netdev before queue 
> setup calls. This ensures that if queue setup fails, the cleanup function 
> can find and free the allocated netdev. It also initializes lio->oct_dev 
> early to prevent a crash in the cleanup path.

Coccicheck says:

drivers/net/ethernet/cavium/liquidio/lio_main.c:3769:8-9: WARNING: Unsigned expression compared with zero: i >= 0
drivers/net/ethernet/cavium/liquidio/lio_vf_main.c:2215:8-9: WARNING: Unsigned expression compared with zero: i >= 0
-- 
pw-bot: cr

Re: [PATCH net v3 0/3] net: liquidio: Fix memory leaks in setup_nic_devices()

[Zilin Guan]

On Tue, Jan 27, 2026 at 01:05:46PM -0800, Jakub Kicinski wrote:
> On Tue, 27 Jan 2026 15:12:38 +0000 Zilin Guan wrote:
> > This series fixes memory leaks in the initialization paths of the 
> > NIC devices.
> > 
> > Patch 1 fixes an off-by-one error in the PF cleanup loop. It ensures
> > the current device index is cleaned up and correctly handles the 
> > post-loop devlink_alloc failure case.
> > 
> > Patch 2 fixes the same off-by-one error in the VF cleanup loop.
> > 
> > Patch 3 moves the initialization of oct->props[i].netdev before queue 
> > setup calls. This ensures that if queue setup fails, the cleanup function 
> > can find and free the allocated netdev. It also initializes lio->oct_dev 
> > early to prevent a crash in the cleanup path.
> 
> Coccicheck says:
> 
> drivers/net/ethernet/cavium/liquidio/lio_main.c:3769:8-9: WARNING: Unsigned expression compared with zero: i >= 0
> drivers/net/ethernet/cavium/liquidio/lio_vf_main.c:2215:8-9: WARNING: Unsigned expression compared with zero: i >= 0
> -- 
> pw-bot: cr

Apologies for missing the unsigned integer issue here. I was worried 
about a potential underflow during the devlink_alloc failure path if 
the loop hadn't run, which led to the while (i >= 0) approach. I'll 
fix this in v4. Thanks for catching that!

Regards,
Zilin