2022-03-01 19:11:45

by Yeqi Fu

[permalink] [raw]
Subject: [PATCH v1] dpaa2-switch: fix memory leak of dpaa2_switch_acl_entry_add

The error handling branch did not properly free the memory of cmd_buf
before return, which would cause memory leak. So fix this by adding
kfree to the error handling branch.

Fixes: 1110318d83e8 ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
Signed-off-by: Yeqi Fu <[email protected]>
Signed-off-by: Yongzhi Liu <[email protected]>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
index cacd454ac696..4d07aee07f4c 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
@@ -132,6 +132,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
DMA_TO_DEVICE);
if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) {
dev_err(dev, "DMA mapping failed\n");
+ kfree(cmd_buff);
return -EFAULT;
}

@@ -142,6 +143,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
DMA_TO_DEVICE);
if (err) {
dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err);
+ kfree(cmd_buff);
return err;
}

--
2.30.1 (Apple Git-130)


2022-03-02 04:26:32

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH v1] dpaa2-switch: fix memory leak of dpaa2_switch_acl_entry_add

On Tue, 1 Mar 2022 22:15:44 +0800 Yeqi Fu wrote:
> @@ -142,6 +143,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
> DMA_TO_DEVICE);
> if (err) {
> dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err);
> + kfree(cmd_buff);
> return err;
> }

With more context:

return -EFAULT;
}

err = dpsw_acl_add_entry(ethsw->mc_io, 0, ethsw->dpsw_handle,
filter_block->acl_id, acl_entry_cfg);

dma_unmap_single(dev, acl_entry_cfg->key_iova, sizeof(cmd_buff),
DMA_TO_DEVICE);
if (err) {
dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err);
+ kfree(cmd_buff);
return err;
}

kfree(cmd_buff);

return 0;
}

Here we see unmap is "pulled up" above the error check, same thing can
be done with the kfree(). Otherwise it looks slightly weird - the
buffer unmap and kfree are conceptually part of releasing the buffer,
yet they are split across the paths.