| Message ID | 20200729123334.GA6766@xin-virtual-machine |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | David Miller |
| Headers | show |
| Series | net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq | expand |
On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote: > The function invokes bpf_prog_inc(), which increases the refcount of > a > bpf_prog object "rq->xdp_prog" if the object isn't NULL. > > The refcount leak issues take place in two error handling paths. When > mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function > simply > returns the error code and forgets to drop the refcount increased > earlier, causing a refcount leak of "rq->xdp_prog". > > Fix this issue by jumping to the error handling path > err_rq_wq_destroy > when either function fails. > Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ types") > > Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> > --- > drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > index a836a02a2116..8e1b1ab416d8 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c > @@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel > *c, > err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq- > >mpwqe.wq, > &rq->wq_ctrl); > if (err) > - return err; > + goto err_rq_wq_destroy; > > rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR]; > > @@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel > *c, > err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq- > >wqe.wq, > &rq->wq_ctrl); > if (err) > - return err; > + goto err_rq_wq_destroy; > > rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR]; >
From: Saeed Mahameed <saeedm@mellanox.com> Date: Wed, 29 Jul 2020 19:02:15 +0000 > On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote: >> The function invokes bpf_prog_inc(), which increases the refcount of >> a >> bpf_prog object "rq->xdp_prog" if the object isn't NULL. >> >> The refcount leak issues take place in two error handling paths. When >> mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function >> simply >> returns the error code and forgets to drop the refcount increased >> earlier, causing a refcount leak of "rq->xdp_prog". >> >> Fix this issue by jumping to the error handling path >> err_rq_wq_destroy >> when either function fails. >> > > Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ > types") Saeed, are you going to take this into your tree or would you like me to apply it directly? Thanks.
On Wed, 2020-07-29 at 13:28 -0700, David Miller wrote: > From: Saeed Mahameed <saeedm@mellanox.com> > Date: Wed, 29 Jul 2020 19:02:15 +0000 > > >> Fix this issue by jumping to the error handling path > >> err_rq_wq_destroy > >> when either function fails. > >> > > > > Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different > RQ > > types") > > Saeed, are you going to take this into your tree or would you like me > to > apply it directly? > > Thanks. I will take this to my tree once Xin adds the missing Fixes tag. Thanks.
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c index a836a02a2116..8e1b1ab416d8 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->mpwqe.wq, &rq->wq_ctrl); if (err) - return err; + goto err_rq_wq_destroy; rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR]; @@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq->wqe.wq, &rq->wq_ctrl); if (err) - return err; + goto err_rq_wq_destroy; rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];