lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 29 Jul 2020 19:02:15 +0000
From:   Saeed Mahameed <saeedm@...lanox.com>
To:     "songliubraving@...com" <songliubraving@...com>,
        "hawk@...nel.org" <hawk@...nel.org>, "kafai@...com" <kafai@...com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "kpsingh@...omium.org" <kpsingh@...omium.org>,
        "john.fastabend@...il.com" <john.fastabend@...il.com>,
        "leon@...nel.org" <leon@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "ast@...nel.org" <ast@...nel.org>,
        "linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
        "xiongx18@...an.edu.cn" <xiongx18@...an.edu.cn>,
        "yhs@...com" <yhs@...com>, "andriin@...com" <andriin@...com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "daniel@...earbox.net" <daniel@...earbox.net>,
        "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     "xiyuyang19@...an.edu.cn" <xiyuyang19@...an.edu.cn>,
        "tanxin.ctf@...il.com" <tanxin.ctf@...il.com>,
        "yuanxzhang@...an.edu.cn" <yuanxzhang@...an.edu.cn>
Subject: Re: [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq

On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote:
> The function invokes bpf_prog_inc(), which increases the refcount of
> a
> bpf_prog object "rq->xdp_prog" if the object isn't NULL.
> 
> The refcount leak issues take place in two error handling paths. When
> mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
> simply
> returns the error code and forgets to drop the refcount increased
> earlier, causing a refcount leak of "rq->xdp_prog".
> 
> Fix this issue by jumping to the error handling path
> err_rq_wq_destroy
> when either function fails.
> 

Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
types")

> 
> Signed-off-by: Xin Xiong <xiongx18@...an.edu.cn>
> Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> index a836a02a2116..8e1b1ab416d8 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> @@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel
> *c,
>  		err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq-
> >mpwqe.wq,
>  					&rq->wq_ctrl);
>  		if (err)
> -			return err;
> +			goto err_rq_wq_destroy;
>  
>  		rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];
>  
> @@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel
> *c,
>  		err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq-
> >wqe.wq,
>  					 &rq->wq_ctrl);
>  		if (err)
> -			return err;
> +			goto err_rq_wq_destroy;
>  
>  		rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];
>  

Powered by blists - more mailing lists