lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <98DC11D9-668E-47F2-891C-6F41E70BD5F4@gmail.com>
Date:   Thu, 10 Jun 2021 20:53:10 +0100
From:   Dhiraj Shah <find.dhiraj@...il.com>
To:     Dexuan Cui <decui@...rosoft.com>
Cc:     KY Srinivasan <kys@...rosoft.com>,
        Haiyang Zhang <haiyangz@...rosoft.com>,
        Stephen Hemminger <sthemmin@...rosoft.com>,
        Wei Liu <wei.liu@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Shachar Raindel <shacharr@...rosoft.com>,
        Colin Ian King <colin.king@...onical.com>,
        "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] function mana_hwc_create_wq leaks memory

Hi Dexuan,

Thanks for the feedback.

You are right saying ‘mana_hwc_destroy_wq' free’s up the queue. 

However for example if  function 'mana_hwc_alloc_dma_buf' fails it will goto ‘out' and  call  ‘mana_hwc_destroy_wq', the value 'hwc_wq->gdma_wq' is still not assigned at this point. In the  ‘mana_hwc_destroy_wq' function i see it checks for 'hwc_wq->gdma_wq' before calling, ‘mana_gd_destroy_queue', which makes me think queue is still not freed.

Please let me know if i am missing something.

Regards,
/Dhiraj

> On 10 Jun 2021, at 18:28, Dexuan Cui <decui@...rosoft.com> wrote:
> 
>> From: Dexuan Cui <decui@...rosoft.com>
>> Sent: Thursday, June 10, 2021 10:18 AM
>> ...
>>> diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c
>>> b/drivers/net/ethernet/microsoft/mana/hw_channel.c
>>> index 1a923fd99990..4aa4bda518fb 100644
>>> --- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
>>> +++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
>>> @@ -501,8 +501,10 @@ static int mana_hwc_create_wq(struct
>>> hw_channel_context *hwc,
>>> 	*hwc_wq_ptr = hwc_wq;
>>> 	return 0;
>>> out:
>>> -	if (err)
>>> +	if (err) {
>> 
>> Here the 'err' must be non-zero. Can you please remove this 'if'?
>> 
>>> +		kfree(queue);
>>> 		mana_hwc_destroy_wq(hwc, hwc_wq);
>>> +	}
>>> 	return err;
>>> }
>> 
>> Reviewed-by: Dexuan Cui <decui@...rosoft.com>
> 
> Hi Dhiraj,
> I checked the code again and it looks like your patch is actually
> unnecessary as IMO there is no memory leak here: the 'queue'
> pointer is passed to mana_hwc_destroy_wq() as hwc_wq->gdma_wq,
> and is later freed in mana_gd_destroy_queue() ->
> mana_gd_destroy_queue().
> 
> The 'if' test can be removed as the 'err's is always non-zero there.
> 
> Thanks,
> Dexuan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ