All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq
@ 2020-07-29 12:33 Xin Xiong
  2020-07-29 19:02 ` Saeed Mahameed
  0 siblings, 1 reply; 4+ messages in thread
From: Xin Xiong @ 2020-07-29 12:33 UTC (permalink / raw)
  To: Saeed Mahameed, Leon Romanovsky, David S. Miller, Jakub Kicinski,
	Alexei Starovoitov, Daniel Borkmann, Jesper Dangaard Brouer,
	John Fastabend, Martin KaFai Lau, Song Liu, Yonghong Song,
	Andrii Nakryiko, KP Singh, netdev, linux-rdma, linux-kernel, bpf
  Cc: Xin Xiong, Xiyu Yang, Xin Tan, yuanxzhang

The function invokes bpf_prog_inc(), which increases the refcount of a
bpf_prog object "rq->xdp_prog" if the object isn't NULL.

The refcount leak issues take place in two error handling paths. When
mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function simply
returns the error code and forgets to drop the refcount increased
earlier, causing a refcount leak of "rq->xdp_prog".

Fix this issue by jumping to the error handling path err_rq_wq_destroy
when either function fails.

Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index a836a02a2116..8e1b1ab416d8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
 		err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->mpwqe.wq,
 					&rq->wq_ctrl);
 		if (err)
-			return err;
+			goto err_rq_wq_destroy;
 
 		rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];
 
@@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
 		err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq->wqe.wq,
 					 &rq->wq_ctrl);
 		if (err)
-			return err;
+			goto err_rq_wq_destroy;
 
 		rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq
  2020-07-29 12:33 [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq Xin Xiong
@ 2020-07-29 19:02 ` Saeed Mahameed
  2020-07-29 20:28   ` David Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Saeed Mahameed @ 2020-07-29 19:02 UTC (permalink / raw)
  To: songliubraving, hawk, kafai, davem, kpsingh, john.fastabend,
	leon, linux-kernel, ast, linux-rdma, xiongx18, yhs, andriin,
	kuba, daniel, bpf, netdev
  Cc: xiyuyang19, tanxin.ctf, yuanxzhang

On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote:
> The function invokes bpf_prog_inc(), which increases the refcount of
> a
> bpf_prog object "rq->xdp_prog" if the object isn't NULL.
> 
> The refcount leak issues take place in two error handling paths. When
> mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
> simply
> returns the error code and forgets to drop the refcount increased
> earlier, causing a refcount leak of "rq->xdp_prog".
> 
> Fix this issue by jumping to the error handling path
> err_rq_wq_destroy
> when either function fails.
> 

Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
types")

> 
> Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> index a836a02a2116..8e1b1ab416d8 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> @@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel
> *c,
>  		err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq-
> >mpwqe.wq,
>  					&rq->wq_ctrl);
>  		if (err)
> -			return err;
> +			goto err_rq_wq_destroy;
>  
>  		rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];
>  
> @@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel
> *c,
>  		err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq-
> >wqe.wq,
>  					 &rq->wq_ctrl);
>  		if (err)
> -			return err;
> +			goto err_rq_wq_destroy;
>  
>  		rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];
>  

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq
  2020-07-29 19:02 ` Saeed Mahameed
@ 2020-07-29 20:28   ` David Miller
  2020-07-29 20:51     ` Saeed Mahameed
  0 siblings, 1 reply; 4+ messages in thread
From: David Miller @ 2020-07-29 20:28 UTC (permalink / raw)
  To: saeedm
  Cc: songliubraving, hawk, kafai, kpsingh, john.fastabend, leon,
	linux-kernel, ast, linux-rdma, xiongx18, yhs, andriin, kuba,
	daniel, bpf, netdev, xiyuyang19, tanxin.ctf, yuanxzhang

From: Saeed Mahameed <saeedm@mellanox.com>
Date: Wed, 29 Jul 2020 19:02:15 +0000

> On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote:
>> The function invokes bpf_prog_inc(), which increases the refcount of
>> a
>> bpf_prog object "rq->xdp_prog" if the object isn't NULL.
>> 
>> The refcount leak issues take place in two error handling paths. When
>> mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
>> simply
>> returns the error code and forgets to drop the refcount increased
>> earlier, causing a refcount leak of "rq->xdp_prog".
>> 
>> Fix this issue by jumping to the error handling path
>> err_rq_wq_destroy
>> when either function fails.
>> 
> 
> Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
> types")

Saeed, are you going to take this into your tree or would you like me to
apply it directly?

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq
  2020-07-29 20:28   ` David Miller
@ 2020-07-29 20:51     ` Saeed Mahameed
  0 siblings, 0 replies; 4+ messages in thread
From: Saeed Mahameed @ 2020-07-29 20:51 UTC (permalink / raw)
  To: davem
  Cc: songliubraving, hawk, kafai, leon, kpsingh, john.fastabend,
	linux-kernel, linux-rdma, xiongx18, yhs, ast, andriin, kuba,
	daniel, bpf, tanxin.ctf, netdev, xiyuyang19, yuanxzhang

On Wed, 2020-07-29 at 13:28 -0700, David Miller wrote:
> From: Saeed Mahameed <saeedm@mellanox.com>
> Date: Wed, 29 Jul 2020 19:02:15 +0000
> 
> >> Fix this issue by jumping to the error handling path
> >> err_rq_wq_destroy
> >> when either function fails.
> >> 
> > 
> > Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different
> RQ
> > types")
> 
> Saeed, are you going to take this into your tree or would you like me
> to
> apply it directly?
> 
> Thanks.

I will take this to my tree once Xin adds the missing Fixes tag.
Thanks.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-29 20:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-29 12:33 [PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq Xin Xiong
2020-07-29 19:02 ` Saeed Mahameed
2020-07-29 20:28   ` David Miller
2020-07-29 20:51     ` Saeed Mahameed

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.