* [PATCH net 0/2] octeontx2-pf: Fix several bugs in exception paths @ 2022-11-25 7:45 Ziyang Xuan 2022-11-25 7:45 ` [PATCH net 1/2] octeontx2-pf: Fix potential memory leak in otx2_init_tc() Ziyang Xuan 2022-11-25 7:45 ` [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() Ziyang Xuan 0 siblings, 2 replies; 5+ messages in thread From: Ziyang Xuan @ 2022-11-25 7:45 UTC (permalink / raw) To: sgoutham, gakula, sbhatta, hkelam, davem, edumazet, kuba, pabeni, netdev Cc: linux-kernel Find several obvious bugs during code review in exception paths. Provide this patchset to fix them. Not tested, just compiled. Ziyang Xuan (2): octeontx2-pf: Fix potential memory leak in otx2_init_tc() octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 + drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/2] octeontx2-pf: Fix potential memory leak in otx2_init_tc() 2022-11-25 7:45 [PATCH net 0/2] octeontx2-pf: Fix several bugs in exception paths Ziyang Xuan @ 2022-11-25 7:45 ` Ziyang Xuan 2022-11-25 7:45 ` [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() Ziyang Xuan 1 sibling, 0 replies; 5+ messages in thread From: Ziyang Xuan @ 2022-11-25 7:45 UTC (permalink / raw) To: sgoutham, gakula, sbhatta, hkelam, davem, edumazet, kuba, pabeni, netdev Cc: linux-kernel In otx2_init_tc(), if rhashtable_init() failed, it does not free tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap(). Fixes: 2e2a8126ffac ("octeontx2-pf: Unify flow management variables") Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c index e64318c110fd..6a01ab1a6e6f 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c @@ -1134,7 +1134,12 @@ int otx2_init_tc(struct otx2_nic *nic) return err; tc->flow_ht_params = tc_flow_ht_params; - return rhashtable_init(&tc->flow_table, &tc->flow_ht_params); + err = rhashtable_init(&tc->flow_table, &tc->flow_ht_params); + if (err) { + kfree(tc->tc_entries_bitmap); + tc->tc_entries_bitmap = NULL; + } + return err; } EXPORT_SYMBOL(otx2_init_tc); -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() 2022-11-25 7:45 [PATCH net 0/2] octeontx2-pf: Fix several bugs in exception paths Ziyang Xuan 2022-11-25 7:45 ` [PATCH net 1/2] octeontx2-pf: Fix potential memory leak in otx2_init_tc() Ziyang Xuan @ 2022-11-25 7:45 ` Ziyang Xuan 2022-11-29 12:03 ` Paolo Abeni 1 sibling, 1 reply; 5+ messages in thread From: Ziyang Xuan @ 2022-11-25 7:45 UTC (permalink / raw) To: sgoutham, gakula, sbhatta, hkelam, davem, edumazet, kuba, pabeni, netdev Cc: linux-kernel otx2_sq_free_sqbs() will be called twice when goto "err_free_nix_queues" label in otx2_init_hw_resources(). The first calling is within otx2_free_sq_res() at "err_free_nix_queues" label, and the second calling is at later "err_free_sq_ptrs" label. In otx2_sq_free_sqbs(), If sq->sqb_ptrs[i] is not 0, the memory page it points to will be freed, and sq->sqb_ptrs[i] do not be assigned 0 after memory page be freed. If otx2_sq_free_sqbs() is called twice, the memory page pointed by sq->sqb_ptrs[i] will be freeed twice. To fix the bug, assign 0 to sq->sqb_ptrs[i] after memory page be freed. Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues") Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c index 9e10e7471b88..5a25fe51d102 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c @@ -1146,6 +1146,7 @@ void otx2_sq_free_sqbs(struct otx2_nic *pfvf) DMA_FROM_DEVICE, DMA_ATTR_SKIP_CPU_SYNC); put_page(virt_to_page(phys_to_virt(pa))); + sq->sqb_ptrs[sqb] = 0; } sq->sqb_count = 0; } -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() 2022-11-25 7:45 ` [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() Ziyang Xuan @ 2022-11-29 12:03 ` Paolo Abeni 2022-12-02 1:39 ` Ziyang Xuan (William) 0 siblings, 1 reply; 5+ messages in thread From: Paolo Abeni @ 2022-11-29 12:03 UTC (permalink / raw) To: Ziyang Xuan, sgoutham, gakula, sbhatta, hkelam, davem, edumazet, kuba, netdev Cc: linux-kernel Hello, On Fri, 2022-11-25 at 15:45 +0800, Ziyang Xuan wrote: > otx2_sq_free_sqbs() will be called twice when goto "err_free_nix_queues" > label in otx2_init_hw_resources(). The first calling is within > otx2_free_sq_res() at "err_free_nix_queues" label, and the second calling > is at later "err_free_sq_ptrs" label. > > In otx2_sq_free_sqbs(), If sq->sqb_ptrs[i] is not 0, the memory page it > points to will be freed, and sq->sqb_ptrs[i] do not be assigned 0 after > memory page be freed. If otx2_sq_free_sqbs() is called twice, the memory > page pointed by sq->sqb_ptrs[i] will be freeed twice. To fix the bug, > assign 0 to sq->sqb_ptrs[i] after memory page be freed. > > Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues") > Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> > --- > drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c > index 9e10e7471b88..5a25fe51d102 100644 > --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c > +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c > @@ -1146,6 +1146,7 @@ void otx2_sq_free_sqbs(struct otx2_nic *pfvf) > DMA_FROM_DEVICE, > DMA_ATTR_SKIP_CPU_SYNC); > put_page(virt_to_page(phys_to_virt(pa))); > + sq->sqb_ptrs[sqb] = 0; The above looks not needed... > } > sq->sqb_count = 0; ... as this will prevent the next invocation of otx2_sq_free_sqbs() from traversing and freeing any sq->sqb_ptrs[] element. Cheers, Paolo > } ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() 2022-11-29 12:03 ` Paolo Abeni @ 2022-12-02 1:39 ` Ziyang Xuan (William) 0 siblings, 0 replies; 5+ messages in thread From: Ziyang Xuan (William) @ 2022-12-02 1:39 UTC (permalink / raw) To: Paolo Abeni, sgoutham, gakula, sbhatta, hkelam, davem, edumazet, kuba, netdev Cc: linux-kernel > Hello, > > On Fri, 2022-11-25 at 15:45 +0800, Ziyang Xuan wrote: >> otx2_sq_free_sqbs() will be called twice when goto "err_free_nix_queues" >> label in otx2_init_hw_resources(). The first calling is within >> otx2_free_sq_res() at "err_free_nix_queues" label, and the second calling >> is at later "err_free_sq_ptrs" label. >> >> In otx2_sq_free_sqbs(), If sq->sqb_ptrs[i] is not 0, the memory page it >> points to will be freed, and sq->sqb_ptrs[i] do not be assigned 0 after >> memory page be freed. If otx2_sq_free_sqbs() is called twice, the memory >> page pointed by sq->sqb_ptrs[i] will be freeed twice. To fix the bug, >> assign 0 to sq->sqb_ptrs[i] after memory page be freed. >> >> Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues") >> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> >> --- >> drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c >> index 9e10e7471b88..5a25fe51d102 100644 >> --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c >> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c >> @@ -1146,6 +1146,7 @@ void otx2_sq_free_sqbs(struct otx2_nic *pfvf) >> DMA_FROM_DEVICE, >> DMA_ATTR_SKIP_CPU_SYNC); >> put_page(virt_to_page(phys_to_virt(pa))); >> + sq->sqb_ptrs[sqb] = 0; > > The above looks not needed... >> } >> sq->sqb_count = 0; > > ... as this will prevent the next invocation of otx2_sq_free_sqbs() > from traversing and freeing any sq->sqb_ptrs[] element. Yes, you are right. I did pay much attention to sq->sqb_ptrs[], and omitted the for loop condition. Thank you! > > Cheers, > > Paolo >> } > > > . > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-12-02 1:40 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-11-25 7:45 [PATCH net 0/2] octeontx2-pf: Fix several bugs in exception paths Ziyang Xuan 2022-11-25 7:45 ` [PATCH net 1/2] octeontx2-pf: Fix potential memory leak in otx2_init_tc() Ziyang Xuan 2022-11-25 7:45 ` [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs() Ziyang Xuan 2022-11-29 12:03 ` Paolo Abeni 2022-12-02 1:39 ` Ziyang Xuan (William)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).