From: Alex Vesker <valex@mellanox.com>
To: Cengiz Can <cengiz@kernel.wtf>, Leon Romanovsky <leon@kernel.org>,
Saeed Mahameed <saeedm@mellanox.com>,
Yevgeny Kliteynik <kliteyn@mellanox.com>,
Erez Shitrit <erezsh@mellanox.com>,
Tariq Toukan <tariqt@mellanox.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] net: mellanox: prevent resource leak on htbl
Date: Mon, 13 Jan 2020 14:49:45 +0000 [thread overview]
Message-ID: <HE1PR0501MB22490CD10A5A258E8C08DE86C3350@HE1PR0501MB2249.eurprd05.prod.outlook.com> (raw)
In-Reply-To: 20200113134415.86110-1-cengiz@kernel.wtf
On 1/13/2020 3:46 PM, Cengiz Can wrote:
> According to a Coverity static analysis tool,
> `drivers/net/mellanox/mlx5/core/steering/dr_rule.c#63` leaks a
> `struct mlx5dr_ste_htbl *` named `new_htbl` while returning from
> `dr_rule_create_collision_htbl` function.
>
> A annotated snippet of the possible resource leak follows:
>
> ```
> static struct mlx5dr_ste *
> dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher,
> struct mlx5dr_matcher_rx_tx *nic_matcher,
> u8 *hw_ste)
> /* ... */
> /* ... */
>
> /* Storage is returned from allocation function mlx5dr_ste_htbl_alloc. */
> /* Assigning: new_htbl = storage returned from mlx5dr_ste_htbl_alloc(..) */
> new_htbl = mlx5dr_ste_htbl_alloc(dmn->ste_icm_pool,
> DR_CHUNK_SIZE_1,
> MLX5DR_STE_LU_TYPE_DONT_CARE,
> 0);
> /* Condition !new_htbl, taking false branch. */
> if (!new_htbl) {
> mlx5dr_dbg(dmn, "Failed allocating collision table\n");
> return NULL;
> }
>
> /* One and only entry, never grows */
> ste = new_htbl->ste_arr;
> mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr);
> /* Resource new_htbl is not freed or pointed-to in mlx5dr_htbl_get */
> mlx5dr_htbl_get(new_htbl);
>
> /* Variable new_htbl going out of scope leaks the storage it points to. */
> return ste;
> ```
>
> There's a caller of this function which does refcounting and free'ing by
> itself but that function also skips free'ing `new_htbl` due to missing
> jump to error label. (referring to `dr_rule_create_collision_entry lines
> 75-77. They don't jump to `free_tbl`)
>
> Added a `kfree(new_htbl)` just before returning `ste` pointer to fix the
> leak.
>
> Signed-off-by: Cengiz Can <cengiz@kernel.wtf>
> ---
>
> This might be totally breaking the refcounting logic in the file so
> please provide any feedback so I can evolve this into something more
> suitable.
>
> For the record, Coverity scan id is CID 1457773.
>
> drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
> index e4cff7abb348..047b403c61db 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
> @@ -60,6 +60,8 @@ dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher,
> mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr);
> mlx5dr_htbl_get(new_htbl);
>
> + kfree(new_htbl);
> +
> return ste;
> }
>
> --
> 2.24.1
>
>
The fix looks incorrect to me.
The table is pointed by each ste in the ste_arr, ste->new_htbl and being
freed on mlx5dr_htbl_put.
We tested kmemleak a few days ago and came clean.
usually coverity is not wrong, but in this case I don't see the bug...
next prev parent reply other threads:[~2020-01-13 14:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-13 13:44 [PATCH] net: mellanox: prevent resource leak on htbl Cengiz Can
2020-01-13 14:49 ` Alex Vesker [this message]
2020-01-13 17:25 ` Cengiz Can
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=HE1PR0501MB22490CD10A5A258E8C08DE86C3350@HE1PR0501MB2249.eurprd05.prod.outlook.com \
--to=valex@mellanox.com \
--cc=cengiz@kernel.wtf \
--cc=davem@davemloft.net \
--cc=erezsh@mellanox.com \
--cc=jakub.kicinski@netronome.com \
--cc=kliteyn@mellanox.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=saeedm@mellanox.com \
--cc=tariqt@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).