2020-07-30 10:31:06

by Xin Xiong

[permalink] [raw]
Subject: [PATCH v2] net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq

The function invokes bpf_prog_inc(), which increases the reference
count of a bpf_prog object "rq->xdp_prog" if the object isn't NULL.

The refcount leak issues take place in two error handling paths. When
either mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
simply returns the error code and forgets to drop the reference count
increased earlier, causing a reference count leak of "rq->xdp_prog".

Fix this issue by jumping to the error handling path err_rq_wq_destroy
while either function fails.

Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
types")

Signed-off-by: Xin Xiong <[email protected]>
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
v1 -> v2:
- Amended parts of wording to be better understood
- Added Fixes tag
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index a836a02a2116..8e1b1ab416d8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->mpwqe.wq,
&rq->wq_ctrl);
if (err)
- return err;
+ goto err_rq_wq_destroy;

rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];

@@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq->wqe.wq,
&rq->wq_ctrl);
if (err)
- return err;
+ goto err_rq_wq_destroy;

rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];

--
2.25.1


2020-07-30 23:19:24

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH v2] net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq

On Thu, 30 Jul 2020 18:29:41 +0800 Xin Xiong wrote:
> Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
> types")
>
> Signed-off-by: Xin Xiong <[email protected]>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>

Thanks for the patch, please make sure Fixes tag is not line-wrapped
and there is no empty line between that and the sign-offs.

2020-07-30 23:19:28

by Saeed Mahameed

[permalink] [raw]
Subject: Re: [PATCH v2] net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq

On Thu, 2020-07-30 at 18:29 +0800, Xin Xiong wrote:
> The function invokes bpf_prog_inc(), which increases the reference
> count of a bpf_prog object "rq->xdp_prog" if the object isn't NULL.
>
> The refcount leak issues take place in two error handling paths. When
> either mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the
> function
> simply returns the error code and forgets to drop the reference count
> increased earlier, causing a reference count leak of "rq->xdp_prog".
>
> Fix this issue by jumping to the error handling path
> err_rq_wq_destroy
> while either function fails.
>
> Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different
> RQ
> types")
>

Please don't break the line of the fixes tag.
I will fix this up.

> Signed-off-by: Xin Xiong <[email protected]>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
> ---
> v1 -> v2:
> - Amended parts of wording to be better understood
> - Added Fixes tag
> ---

Applied to net-mlx5, Thanks !