| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221207115537.zf2ikns77bxyt74m@skbuf>
Date: Wed, 7 Dec 2022 13:55:37 +0200
From: Vladimir Oltean <olteanv@...il.com>
To: Yuan Can <yuancan@...wei.com>
Cc: ioana.ciornei@....com, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org
Subject: Re: [PATCH] dpaa2-switch: Fix memory leak in
dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()
Hi Yuan,
On Mon, Dec 05, 2022 at 06:15:15AM +0000, Yuan Can wrote:
> The cmd_buff needs to be freed when error happened in
> dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().
>
> Fixes: 1110318d83e8 ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
> Signed-off-by: Yuan Can <yuancan@...wei.com>
> ---
> drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
> index cacd454ac696..c39b866e2582 100644
> --- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
> +++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
> @@ -132,6 +132,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
> DMA_TO_DEVICE);
> if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) {
> dev_err(dev, "DMA mapping failed\n");
> + kfree(cmd_buff);
> return -EFAULT;
> }
>
> @@ -142,6 +143,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
> DMA_TO_DEVICE);
> if (err) {
> dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err);
> + kfree(cmd_buff);
To reduce the number of kfree() calls, this last one can be put right
before checking for error, and we could remove the kfree(cmd_buff) call at
the very end. I mean that was already the intention, if you look at the
dma_unmap_single() call compared to the error checking. Like this:
err = dpsw_acl_add_entry(...);
dma_unmap_single(dev, acl_entry_cfg->key_iova, sizeof(cmd_buff),
DMA_TO_DEVICE);
kfree(cmd_buff);
if (err) {
dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err);
return err;
}
return 0;
}
> return err;
> }
>
> @@ -172,6 +174,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block,
> DMA_TO_DEVICE);
> if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) {
> dev_err(dev, "DMA mapping failed\n");
> + kfree(cmd_buff);
> return -EFAULT;
> }
>
> @@ -182,6 +185,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block,
> DMA_TO_DEVICE);
> if (err) {
> dev_err(dev, "dpsw_acl_remove_entry() failed %d\n", err);
> + kfree(cmd_buff);
Similar here:
err = dpsw_acl_remove_entry(ethsw->mc_io, 0, ethsw->dpsw_handle,
block->acl_id, acl_entry_cfg);
dma_unmap_single(dev, acl_entry_cfg->key_iova, sizeof(cmd_buff),
DMA_TO_DEVICE);
kfree(cmd_buff);
if (err) {
dev_err(dev, "dpsw_acl_remove_entry() failed %d\n", err);
return err;
}
return 0;
}
> return err;
> }
>
> --
> 2.17.1
>
Powered by blists - more mailing lists