The function invokes bpf_prog_inc(), which increases the refcount of a
bpf_prog object "rq->xdp_prog" if the object isn't NULL.
The refcount leak issues take place in two error handling paths. When
mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function simply
returns the error code and forgets to drop the refcount increased
earlier, causing a refcount leak of "rq->xdp_prog".
Fix this issue by jumping to the error handling path err_rq_wq_destroy
when either function fails.
Signed-off-by: Xin Xiong <[email protected]>
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index a836a02a2116..8e1b1ab416d8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->mpwqe.wq,
&rq->wq_ctrl);
if (err)
- return err;
+ goto err_rq_wq_destroy;
rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];
@@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq->wqe.wq,
&rq->wq_ctrl);
if (err)
- return err;
+ goto err_rq_wq_destroy;
rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];
--
2.25.1
On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote:
> The function invokes bpf_prog_inc(), which increases the refcount of
> a
> bpf_prog object "rq->xdp_prog" if the object isn't NULL.
>
> The refcount leak issues take place in two error handling paths. When
> mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
> simply
> returns the error code and forgets to drop the refcount increased
> earlier, causing a refcount leak of "rq->xdp_prog".
>
> Fix this issue by jumping to the error handling path
> err_rq_wq_destroy
> when either function fails.
>
Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
types")
>
> Signed-off-by: Xin Xiong <[email protected]>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
> ---
> drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> index a836a02a2116..8e1b1ab416d8 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> @@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel
> *c,
> err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq-
> >mpwqe.wq,
> &rq->wq_ctrl);
> if (err)
> - return err;
> + goto err_rq_wq_destroy;
>
> rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];
>
> @@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel
> *c,
> err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq-
> >wqe.wq,
> &rq->wq_ctrl);
> if (err)
> - return err;
> + goto err_rq_wq_destroy;
>
> rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];
>
From: Saeed Mahameed <[email protected]>
Date: Wed, 29 Jul 2020 19:02:15 +0000
> On Wed, 2020-07-29 at 20:33 +0800, Xin Xiong wrote:
>> The function invokes bpf_prog_inc(), which increases the refcount of
>> a
>> bpf_prog object "rq->xdp_prog" if the object isn't NULL.
>>
>> The refcount leak issues take place in two error handling paths. When
>> mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
>> simply
>> returns the error code and forgets to drop the refcount increased
>> earlier, causing a refcount leak of "rq->xdp_prog".
>>
>> Fix this issue by jumping to the error handling path
>> err_rq_wq_destroy
>> when either function fails.
>>
>
> Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
> types")
Saeed, are you going to take this into your tree or would you like me to
apply it directly?
Thanks.
On Wed, 2020-07-29 at 13:28 -0700, David Miller wrote:
> From: Saeed Mahameed <[email protected]>
> Date: Wed, 29 Jul 2020 19:02:15 +0000
>
> >> Fix this issue by jumping to the error handling path
> >> err_rq_wq_destroy
> >> when either function fails.
> >>
> >
> > Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different
> RQ
> > types")
>
> Saeed, are you going to take this into your tree or would you like me
> to
> apply it directly?
>
> Thanks.
I will take this to my tree once Xin adds the missing Fixes tag.
Thanks.