| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251025160905.3857885-379-sashal@kernel.org>
Date: Sat, 25 Oct 2025 12:00:10 -0400
From: Sasha Levin <sashal@...nel.org>
To: patches@...ts.linux.dev,
stable@...r.kernel.org
Cc: Bhargava Marreddy <bhargava.marreddy@...adcom.com>,
Vikas Gupta <vikas.gupta@...adcom.com>,
Rajashekar Hudumula <rajashekar.hudumula@...adcom.com>,
Jakub Kicinski <kuba@...nel.org>,
Sasha Levin <sashal@...nel.org>,
netdev@...r.kernel.org
Subject: [PATCH AUTOSEL 6.17] bng_en: make bnge_alloc_ring() self-unwind on failure
From: Bhargava Marreddy <bhargava.marreddy@...adcom.com>
[ Upstream commit 9ee5994418bb527788e77361d338af40a126aa21 ]
Ensure bnge_alloc_ring() frees any intermediate allocations
when it fails. This enables later patches to rely on this
self-unwinding behavior.
Signed-off-by: Bhargava Marreddy <bhargava.marreddy@...adcom.com>
Reviewed-by: Vikas Gupta <vikas.gupta@...adcom.com>
Reviewed-by: Rajashekar Hudumula <rajashekar.hudumula@...adcom.com>
Link: https://patch.msgid.link/20250919174742.24969-2-bhargava.marreddy@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@...nel.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
LLM Generated explanations, may be completely bogus:
YES
- Change makes `bnge_alloc_ring()` jump to `err_free_ring` and call
`bnge_free_ring()` whenever a DMA page or the optional `vzalloc()`
fails (`drivers/net/ethernet/broadcom/bnge/bnge_rmem.c:93-125`). That
guarantees every partially allocated page, page-table entry, and vmem
buffer is released before the function returns `-ENOMEM`.
- Without this patch, callers such as `alloc_one_cp_ring()` leak DMA
buffers on allocation failure: its error path only invokes
`bnge_free_cp_desc_arr()` which frees the host-side arrays but not the
coherent allocations
(`drivers/net/ethernet/broadcom/bnge/bnge_netdev.c:239-246` together
with `drivers/net/ethernet/broadcom/bnge/bnge_netdev.c:112-121`).
Similar allocation sites rely on `bnge_alloc_ring()` to clean up for
them, so the leak is user-visible under memory pressure.
- `bnge_free_ring()` already tolerates partially initialized state,
skipping NULL slots and resetting pointers
(`drivers/net/ethernet/broadcom/bnge/bnge_rmem.c:36-66`), so even
callers that still run their normal unwind paths (e.g.
`bnge_free_nq_tree()` and `bnge_free_tx_rings()`) remain safe—double
frees are avoided because the pointers are nulled.
- Scope is limited to the new `bng_en` driver; no interfaces or success
paths change. The fix eliminates a real leak and carries very low
regression risk, making it a good candidate for stable backporting.
drivers/net/ethernet/broadcom/bnge/bnge_rmem.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c b/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c
index 52ada65943a02..98b4e9f55bcbb 100644
--- a/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c
+++ b/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c
@@ -95,7 +95,7 @@ int bnge_alloc_ring(struct bnge_dev *bd, struct bnge_ring_mem_info *rmem)
&rmem->dma_arr[i],
GFP_KERNEL);
if (!rmem->pg_arr[i])
- return -ENOMEM;
+ goto err_free_ring;
if (rmem->ctx_mem)
bnge_init_ctx_mem(rmem->ctx_mem, rmem->pg_arr[i],
@@ -116,10 +116,13 @@ int bnge_alloc_ring(struct bnge_dev *bd, struct bnge_ring_mem_info *rmem)
if (rmem->vmem_size) {
*rmem->vmem = vzalloc(rmem->vmem_size);
if (!(*rmem->vmem))
- return -ENOMEM;
+ goto err_free_ring;
}
-
return 0;
+
+err_free_ring:
+ bnge_free_ring(bd, rmem);
+ return -ENOMEM;
}
static int bnge_alloc_ctx_one_lvl(struct bnge_dev *bd,
--
2.51.0
Powered by blists - more mailing lists