[net-next] net: hwbm: fix buffer leak when construct callback is missing

Netdev List
 help / color / mirror / Atom feed

* [net-next] net: hwbm: fix buffer leak when construct callback is missing
@ 2026-05-21 10:16 Chenguang Zhao
  2026-05-25 20:38 ` Jakub Kicinski
  0 siblings, 1 reply; 2+ messages in thread
From: Chenguang Zhao @ 2026-05-21 10:16 UTC (permalink / raw)
  To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman
  Cc: Chenguang Zhao, netdev

hwbm_pool_refill() could allocate a buffer and return success without
calling construct(), leaking the buffer and letting hwbm_pool_add()
incorrectly increment buf_num.

Free the buffer and return -EINVAL if construct is NULL.

Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
---
 net/core/hwbm.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/net/core/hwbm.c b/net/core/hwbm.c
index ac1a66df9adc..284b97c488dc 100644
--- a/net/core/hwbm.c
+++ b/net/core/hwbm.c
@@ -33,11 +33,15 @@ int hwbm_pool_refill(struct hwbm_pool *bm_pool, gfp_t gfp)
 	if (!buf)
 		return -ENOMEM;
 
-	if (bm_pool->construct)
-		if (bm_pool->construct(bm_pool, buf)) {
-			hwbm_buf_free(bm_pool, buf);
-			return -ENOMEM;
-		}
+	if (!bm_pool->construct) {
+		hwbm_buf_free(bm_pool, buf);
+		return -EINVAL;
+	}
+
+	if (bm_pool->construct(bm_pool, buf)) {
+		hwbm_buf_free(bm_pool, buf);
+		return -ENOMEM;
+	}
 
 	return 0;
 }
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [net-next] net: hwbm: fix buffer leak when construct callback is missing
  2026-05-21 10:16 [net-next] net: hwbm: fix buffer leak when construct callback is missing Chenguang Zhao
@ 2026-05-25 20:38 ` Jakub Kicinski
  0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2026-05-25 20:38 UTC (permalink / raw)
  To: Chenguang Zhao
  Cc: David S. Miller, Eric Dumazet, Paolo Abeni, Simon Horman, netdev

On Thu, 21 May 2026 18:16:18 +0800 Chenguang Zhao wrote:
> hwbm_pool_refill() could allocate a buffer and return success without
> calling construct(), leaking the buffer and letting hwbm_pool_add()
> incorrectly increment buf_num.
> 
> Free the buffer and return -EINVAL if construct is NULL.

This code would make no sense if ->construct is NULL right?
If you want to touch this code you should remove all the checks
if ->construct is NULL instead. All in-tree callers (obviously)
set it to a valid callback.

> diff --git a/net/core/hwbm.c b/net/core/hwbm.c
> index ac1a66df9adc..284b97c488dc 100644
> --- a/net/core/hwbm.c
> +++ b/net/core/hwbm.c
> @@ -33,11 +33,15 @@ int hwbm_pool_refill(struct hwbm_pool *bm_pool, gfp_t gfp)
>  	if (!buf)
>  		return -ENOMEM;
>  
> -	if (bm_pool->construct)
> -		if (bm_pool->construct(bm_pool, buf)) {
> -			hwbm_buf_free(bm_pool, buf);
> -			return -ENOMEM;
> -		}
> +	if (!bm_pool->construct) {
> +		hwbm_buf_free(bm_pool, buf);
> +		return -EINVAL;
> +	}
> +
> +	if (bm_pool->construct(bm_pool, buf)) {
> +		hwbm_buf_free(bm_pool, buf);
> +		return -ENOMEM;
> +	}
>  
>  	return 0;
>  }
-- 
pw-bot: cr

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-25 20:38 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-21 10:16 [net-next] net: hwbm: fix buffer leak when construct callback is missing Chenguang Zhao
2026-05-25 20:38 ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox