From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-m49198.qiye.163.com (mail-m49198.qiye.163.com [45.254.49.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 83AC278F2F; Tue, 30 Jun 2026 07:21:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.254.49.198 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782804113; cv=none; b=mNI7CZBeB4PvX7cRnsUwh77dz7EwGGy5I5fB5sikKGIk/V2bXV1kwpM5sMKPiiJprf8hrI/TMrAN9Wq7auTOmDOv/G8ukYLGr5CDK7me0ePtPAXBdepMoFBOM9oR+uzyl7mcK3inp/OJrxc2U/m+Bkf+0ONkIDihiOOe8Il+KPc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782804113; c=relaxed/simple; bh=OdcC6x/d01X8Zoz5vtiz0YK7mL1Z51asCo1ShgRdG2M=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=bZ4T67tSCegbEXFWmfZ5JvKBwoQXz2Qb+idQHbF+ya8Ymfu7jVJh9jMhM8zLbIYFTGdFAKUrWvSkPkGlQznblGTWrOeEaOdTiqWqJLUktbMKYxtweqam3nUXUAlNF+7x/QPukvZmFag7LP7k8FnjvQDCKdM+cEC1vLWPxNkCOd4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=C1RU/7O2; arc=none smtp.client-ip=45.254.49.198 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="C1RU/7O2" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [58.241.16.34]) by smtp.qiye.163.com (Hmail) with ESMTP id 444c2becd; Tue, 30 Jun 2026 15:16:29 +0800 (GMT+08:00) From: Dawei Feng To: sgoutham@marvell.com Cc: rkannoth@marvell.com, gakula@marvell.com, sbhatta@marvell.com, hkelam@marvell.com, bbhushan2@marvell.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, jbrandeb@kernel.org, richardcochran@gmail.com, amakarov@marvell.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, jianhao.xu@seu.edu.cn, zilin@seu.edu.cn, Dawei Feng Subject: [PATCH net v2] octeontx2-pf: fix SQB pointer leak on init failure Date: Tue, 30 Jun 2026 15:16:25 +0800 Message-Id: <20260630071625.349996-1-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-HM-Tid: 0a9f1762f76a03a2kunm902ae0401aabee X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVkaSUlMVhpNT00ZSE1IQ01KTVYeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlOQ1VJT0pVSk1VSE9ZV1kWGg8SFR0UWUFZT0tIVUpLSEpPSE xVSktLVUpCS0tZBg++ DKIM-Signature: a=rsa-sha256; b=C1RU/7O21k/2k+xueF8mLAKd7K1Tdcq8ibjilpoJA+LsPo/JOBTwSIQvZ5dWuB/pwSI9+Q2LfVTc97UJvWpprt5yo3zmK5r/msXPybGsG8567v08c8R2v00sp6mxewBagFNzgi3R5q6IgJbcAuA1DrYdNwUpv0sD+qQJBgThz6Y=; c=relaxed/relaxed; s=default; d=seu.edu.cn; v=1; bh=9At5R7iJVdLl+b9yYFudoALdZ+Azmft7oDz1KkJjsHI=; h=date:mime-version:subject:message-id:from; otx2_init_hw_resources() initializes SQ aura and pool resources before several later setup steps. On failure, err_free_sq_ptrs only frees SQB pages, leaving the per-SQ sqb_ptrs arrays behind. Use otx2_free_sq_res() for the SQ unwind path and let it free sqb_ptrs even when sq->sqe has not been allocated yet. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. Manual inspection confirms that the bug is still present in v7.1.1. An x86_64 allyesconfig build showed no new warnings. As we do not have an OcteonTX2 PF device and the corresponding AF mailbox setup to test with, no runtime testing was able to be performed. Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues") Cc: stable@vger.kernel.org Reviewed-by: Ratheesh Kannoth Signed-off-by: Dawei Feng --- v2: - Rebase on net/main. - Drop the timestamp qmem cleanup and the PTP Fixes tag because net/main already has commit a056db30de92 ("octeontx2-pf: Fix leak of SQ timestamp buffer on teardown"). .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c index b63df5737ff2..88ac85354445 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c @@ -1568,15 +1568,15 @@ static void otx2_free_sq_res(struct otx2_nic *pf) otx2_sq_free_sqbs(pf); for (qidx = 0; qidx < otx2_get_total_tx_queues(pf); qidx++) { sq = &qset->sq[qidx]; - /* Skip freeing Qos queues if they are not initialized */ - if (!sq->sqe) - continue; - qmem_free(pf->dev, sq->sqe); - qmem_free(pf->dev, sq->sqe_ring); - qmem_free(pf->dev, sq->cpt_resp); - qmem_free(pf->dev, sq->tso_hdrs); - qmem_free(pf->dev, sq->timestamps); - kfree(sq->sg); + /* sq->sqe is not initialized for unused QoS queues */ + if (sq->sqe) { + qmem_free(pf->dev, sq->sqe); + qmem_free(pf->dev, sq->sqe_ring); + qmem_free(pf->dev, sq->cpt_resp); + qmem_free(pf->dev, sq->tso_hdrs); + qmem_free(pf->dev, sq->timestamps); + kfree(sq->sg); + } kfree(sq->sqb_ptrs); } } @@ -1711,13 +1711,12 @@ int otx2_init_hw_resources(struct otx2_nic *pf) return err; err_free_nix_queues: - otx2_free_sq_res(pf); otx2_free_cq_res(pf); otx2_ctx_disable(mbox, NIX_AQ_CTYPE_RQ, false); err_free_txsch: otx2_txschq_stop(pf); err_free_sq_ptrs: - otx2_sq_free_sqbs(pf); + otx2_free_sq_res(pf); err_free_rq_ptrs: otx2_free_aura_ptr(pf, AURA_NIX_RQ); otx2_ctx_disable(mbox, NPA_AQ_CTYPE_POOL, true); -- 2.34.1