lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 6 Jul 2020 17:28:12 +0200
From:   Matteo Croce <mcroce@...ux.microsoft.com>
To:     Colin Ian King <colin.king@...onical.com>,
        Sven Auhagen <sven.auhagen@...eatech.de>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: mvpp2: XDP TX support

On Mon, 6 Jul 2020 14:59:22 +0100
Colin Ian King <colin.king@...onical.com> wrote:

> Hi,
> 
> Static analysis with Coverity has found a potential issue in the
> following commit:
> 
> commit c2d6fe6163de80d7f7cf400ee351f56d6cdb7a5a
> Author: Matteo Croce <mcroce@...rosoft.com>
> Date:   Thu Jul 2 16:12:43 2020 +0200
> 
>     mvpp2: XDP TX support
> 
> 
> In source drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c in function
> mvpp2_check_pagepool_dma, analysis is as follows:
> 
> 
> 4486        if (!priv->percpu_pools)
> 4487                return err;
> 4488
> CID (#1 of 1): Array compared against 0 (NO_EFFECT)
> array_null: Comparing an array to null is not useful: priv->page_pool,
> since the test will always evaluate as true.
> 
>     Was priv->page_pool formerly declared as a pointer?
> 
> 4489        if (!priv->page_pool)
> 4490                return -ENOMEM;
> 4491
> 
> 
> page_pool is declared as:
> 
> 	struct page_pool *page_pool[MVPP2_PORT_MAX_RXQ];
> 
> ..it is an array and hence cannot be null, so the null check is
> redundant.  Later on there is a reference of priv->page_pool[0], so
> was the check meant to be:
> 
> 	if (!priv->page_pool[0])
> 
> Colin

Hi,

yes, the check was meant to be 'if (!priv->page_pool[0])'.
Maybe it's a copy/paste error from other points where 'page_pool' is a
local variable.

While at it, I've found that in case a page_pool allocation fails, I
don't cleanup the previously allocated pools, and upon deallocation the
pointer isn't set back to NULL.

I should add something like:

@@ -548,8 +548,10 @@ static int mvpp2_bm_pool_destroy(struct device
*dev, struct mvpp2 *priv, val |= MVPP2_BM_STOP_MASK;
 	mvpp2_write(priv, MVPP2_BM_POOL_CTRL_REG(bm_pool->id), val);
 
-	if (priv->percpu_pools)
+	if (priv->percpu_pools) {
 		page_pool_destroy(priv->page_pool[bm_pool->id]);
+		priv->page_pool[bm_pool->id] = NULL;
+	}
 
 	dma_free_coherent(dev, bm_pool->size_bytes,
 			  bm_pool->virt_addr,
@@ -609,8 +611,15 @@ static int mvpp2_bm_init(struct device *dev,
struct mvpp2 *priv) mvpp2_pools[pn].buf_num,
 						       mvpp2_pools[pn].pkt_size,
 						       dma_dir);
-			if (IS_ERR(priv->page_pool[i]))
-				return PTR_ERR(priv->page_pool[i]);
+			if (IS_ERR(priv->page_pool[i])) {
+				err = PTR_ERR(priv->page_pool[i]);
+
+				for (i--; i >=0; i--) {
+
page_pool_destroy(priv->page_pool[i]);
+					priv->page_pool[i] = NULL;
+				}
+				return err;
+			}
 		}
 	}
 
Looks sane to you?

Regards,
-- 
per aspera ad upstream

Powered by blists - more mailing lists