lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Jul 2020 19:02:15 +0000 From: Saeed Mahameed <saeedm@...lanox.com> To: "songliubraving@...com" <songliubraving@...com>, "hawk@...nel.org" <hawk@...nel.org>, "kafai@...com" <kafai@...com>, "davem@...emloft.net" <davem@...emloft.net>, "kpsingh@...omium.org" <kpsingh@...omium.org>, "john.fastabend@...il.com" <john.fastabend@...il.com>, "leon@...nel.org" <leon@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "ast@...nel.org" <ast@...nel.org>, "linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>, "xiongx18@...an.edu.cn" <xiongx18@...an.edu.cn>, "yhs@...com" <yhs@...com>, "andriin@...com" <andriin@...com>, "kuba@...nel.org" <kuba@...nel.org>, "daniel@...earbox.net" <daniel@...earbox.net>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> CC: "xiyuyang19@...an.edu.cn" <xiyuyang19@...an.edu.cn>, "tanxin.ctf@...il.com" <tanxin.ctf@...il.com>, "yuanxzhang@...an.edu.cn" <yuanxzhang@...an.edu.cn> Subject: Re: [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote: > The function invokes bpf_prog_inc(), which increases the refcount of > a > bpf_prog object "rq->xdp_prog" if the object isn't NULL. > > The refcount leak issues take place in two error handling paths. When > mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function > simply > returns the error code and forgets to drop the refcount increased > earlier, causing a refcount leak of "rq->xdp_prog". > > Fix this issue by jumping to the error handling path > err_rq_wq_destroy > when either function fails. > Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ types") > > Signed-off-by: Xin Xiong <xiongx18@...an.edu.cn> > Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@...il.com> > --- > drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > index a836a02a2116..8e1b1ab416d8 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > @@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel > *c, > err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq- > >mpwqe.wq, > &rq->wq_ctrl); > if (err) > - return err; > + goto err_rq_wq_destroy; > > rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR]; > > @@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel > *c, > err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq- > >wqe.wq, > &rq->wq_ctrl); > if (err) > - return err; > + goto err_rq_wq_destroy; > > rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR]; >
Powered by blists - more mailing lists