| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <IA3PR11MB8986CAD67FDC2D778567A046E5A1A@IA3PR11MB8986.namprd11.prod.outlook.com>
Date: Thu, 11 Dec 2025 10:13:09 +0000
From: "Loktionov, Aleksandr" <aleksandr.loktionov@...el.com>
To: Kohei Enju <enjuk@...zon.com>, "intel-wired-lan@...ts.osuosl.org"
<intel-wired-lan@...ts.osuosl.org>, "netdev@...r.kernel.org"
<netdev@...r.kernel.org>
CC: "Nguyen, Anthony L" <anthony.l.nguyen@...el.com>, "Kitszel, Przemyslaw"
<przemyslaw.kitszel@...el.com>, Andrew Lunn <andrew+netdev@...n.ch>, "David
S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, "Jakub
Kicinski" <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, "Jagielski,
Jedrzej" <jedrzej.jagielski@...el.com>, "Wegrzyn, Stefan"
<stefan.wegrzyn@...el.com>, Simon Horman <horms@...nel.org>, "Keller, Jacob
E" <jacob.e.keller@...el.com>, "kohei@...uk.org" <kohei@...uk.org>
Subject: RE: [Intel-wired-lan] [PATCH iwl-net v2 1/2] ixgbe: fix memory leaks
in the ixgbe_recovery_probe() path
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf
> Of Kohei Enju
> Sent: Thursday, December 11, 2025 10:16 AM
> To: intel-wired-lan@...ts.osuosl.org; netdev@...r.kernel.org
> Cc: Nguyen, Anthony L <anthony.l.nguyen@...el.com>; Kitszel,
> Przemyslaw <przemyslaw.kitszel@...el.com>; Andrew Lunn
> <andrew+netdev@...n.ch>; David S. Miller <davem@...emloft.net>; Eric
> Dumazet <edumazet@...gle.com>; Jakub Kicinski <kuba@...nel.org>; Paolo
> Abeni <pabeni@...hat.com>; Jagielski, Jedrzej
> <jedrzej.jagielski@...el.com>; Wegrzyn, Stefan
> <stefan.wegrzyn@...el.com>; Simon Horman <horms@...nel.org>; Keller,
> Jacob E <jacob.e.keller@...el.com>; kohei@...uk.org; Kohei Enju
> <enjuk@...zon.com>
> Subject: [Intel-wired-lan] [PATCH iwl-net v2 1/2] ixgbe: fix memory
> leaks in the ixgbe_recovery_probe() path
>
> When ixgbe_recovery_probe() is invoked and this function fails,
> allocated resources in advance are not completely freed, because
> ixgbe_probe() returns ixgbe_recovery_probe() directly and
> ixgbe_recovery_probe() only frees partial resources, resulting in
> memory leaks including:
> - adapter->io_addr
> - adapter->jump_tables[0]
> - adapter->mac_table
> - adapter->rss_key
> - adapter->af_xdp_zc_qps
>
> The leaked MMIO region can be observed in /proc/vmallocinfo, and the
> remaining leaks are reported by kmemleak.
>
> Don't return ixgbe_recovery_probe() directly, and instead let
> ixgbe_probe() to clean up resources on failures.
>
> Fixes: 29cb3b8d95c7 ("ixgbe: add E610 implementation of FW recovery
> mode")
> Signed-off-by: Kohei Enju <enjuk@...zon.com>
> ---
> drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 20 ++++++++----------
> -
> 1 file changed, 8 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> index 4af3b3e71ff1..85023bb4e5a5 100644
> --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> @@ -11468,14 +11468,12 @@ static void ixgbe_set_fw_version(struct
> ixgbe_adapter *adapter)
> */
> static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter) {
> - struct net_device *netdev = adapter->netdev;
> struct pci_dev *pdev = adapter->pdev;
> struct ixgbe_hw *hw = &adapter->hw;
> - bool disable_dev;
> int err = -EIO;
>
> if (hw->mac.type != ixgbe_mac_e610)
> - goto clean_up_probe;
> + return err;
You've removed the clean_up_probe: label and its cleanup code (free_netdev, devlink_free, pci_release_mem_regions, pci_disable_device) without providing a proof that ixgbe_probe()'s error path correctly handles all these resources.
I'm afraid this patch may trade one leak for another, or cause double-free issues.
>
> ixgbe_get_hw_control(adapter);
> mutex_init(&hw->aci.lock);
> @@ -11507,13 +11505,6 @@ static int ixgbe_recovery_probe(struct
> ixgbe_adapter *adapter)
> shutdown_aci:
> mutex_destroy(&adapter->hw.aci.lock);
> ixgbe_release_hw_control(adapter);
> -clean_up_probe:
> - disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter-
> >state);
> - free_netdev(netdev);
> - devlink_free(adapter->devlink);
> - pci_release_mem_regions(pdev);
> - if (disable_dev)
> - pci_disable_device(pdev);
> return err;
> }
>
> @@ -11655,8 +11646,13 @@ static int ixgbe_probe(struct pci_dev *pdev,
> const struct pci_device_id *ent)
> if (err)
> goto err_sw_init;
>
> - if (ixgbe_check_fw_error(adapter))
> - return ixgbe_recovery_probe(adapter);
> + if (ixgbe_check_fw_error(adapter)) {
> + err = ixgbe_recovery_probe(adapter);
> + if (err)
> + goto err_sw_init;
The early return 0; on successful ixgbe_recovery_probe() bypasses the remainder of ixgbe_probe().
The commit message doesn't explain what subsequent initialization steps (if any) are intentionally skipped in recovery mode, or whether this is correct behavior.
> +
> + return 0;
> + }
>
> if (adapter->hw.mac.type == ixgbe_mac_e610) {
> err = ixgbe_get_caps(&adapter->hw);
> --
> 2.52.0
Powered by blists - more mailing lists