Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp196989img; Tue, 19 Mar 2019 21:56:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqwgJF/9vpz0suc3r/Up4zGHKagv8pszZh81ygM3otgXbRpa7TW/6i0o7t2XZ0QuVOd5RhdM X-Received: by 2002:a17:902:8d97:: with SMTP id v23mr6183201plo.274.1553057793612; Tue, 19 Mar 2019 21:56:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553057793; cv=none; d=google.com; s=arc-20160816; b=EBwJn53+XMjEg0Pi7W78Zv0E2OzDpt0diDRn/xfLlF7/ubOxeq+WRcG98IdkkeD/CF QpgKrt28L/uTGiH2BnhDxlNplAZN5UujTGOV7RHBBxzoMu/4kt6zA9IWxz1+Bk2xEBua wBUjGVkKQ7UeYi8BjMs0Vi60zyDBKTFp1+DmnBRYkDlz1x6SdZaz3BXJfU26H8E9pkYG Zz69BndcOydNm4JlIjNR+xLCmqh0S3jO8EkQk5NrL82HamaO1jOamfd7oMS8cvbGJYbX YjK0xwKFHcLCpqcbsb6SuMi8r9HonkoeJg0t/8MRmjsNj8jLTcJ/fmCIMZ5JxN+a76Up Hm+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=WwuaKTPR4oq7iRRr0EQJf+bfmHKLxcy5jJviiAT5pi8=; b=uDPJFzD0YzcoaYxYgGK7IYQky4+QyYFtIxBZfxgoVG9L8S6nhOxiZ17hA8N8TfvPgo TxgOiv/ureqSx/9EV68RtgMf4/vaNER7MCCMAGqfBgcZyRUfvLUfLDYIam1buCe4ihje aOrwQzRpBqSEQKGLjIR/8nIg/e3275XADmpoqaviBlUx6ITwQXWF7ltKCpWNJXNKtSZn qdCkn62JFkdezr92Yo0tHi4IxllwYfxydk+kuztAnkAc9ZNQvCg3/h2VUUde+csDcCmw V7gJGRq3AthtHebWmHfwtkg/CU0L1Z7aSDpNoa3pQJ3jv5j+paQBZDgc7juYQY1lGogA EZmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=a6pwB6+j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q64si764817pga.492.2019.03.19.21.56.17; Tue, 19 Mar 2019 21:56:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=a6pwB6+j; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726823AbfCTEyN (ORCPT + 99 others); Wed, 20 Mar 2019 00:54:13 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:43363 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725930AbfCTEyN (ORCPT ); Wed, 20 Mar 2019 00:54:13 -0400 Received: by mail-wr1-f65.google.com with SMTP id d17so1159561wre.10; Tue, 19 Mar 2019 21:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WwuaKTPR4oq7iRRr0EQJf+bfmHKLxcy5jJviiAT5pi8=; b=a6pwB6+jGhCKRLaD4k64O0C4iHdmuywggoL1N0WDobSspQ6m2xyJFgdvzc5WCktPF4 0irp+XgIOis/JrcsVg2QealOkivUOnXRXw1UFrb7vmUpkekSIesKeRnKY0H8hNYwlPgG atf35kAhFNdms4kvaDBuJEuDhmZJWUBECniVxXVLPE9xZQOjlkfS4wlZ7ULRd9SqjB5k EBzmJSXmUYziBrS+Y/KK4G3PRYcay9uTDZj3iXGWwqKceD1yjm2Ir/TXP4bKlij7FgHc tsdv50brkjmpK6D597fFm+RAryeIKA0n79y5xRqaQRp6gHKqtVQyWxjpQVte1VTFETby TaWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WwuaKTPR4oq7iRRr0EQJf+bfmHKLxcy5jJviiAT5pi8=; b=eYAZ/8uFyZfQP7bUxff+7e6zRLEGrZVzlI29hNqpJzVGJiDW5CEZZtnc5xgQkx2L4R UzKu3eMlDLIjLFgd5gfSYsW2UaEWlp6+xgFQAUM2oQsdwVneXf51S0aD6U6rmvJ3pXSi p7AJ7ed1EtOlkwF10UUIjdRGpN3WOthWncHJIuFqEGeVBnPt6RRSO7wxX8vLz2+hVYpF /iFzq2DYGluk0Oyl+XXkfEW5ktieIuKcPacUzNZuKwtCLa39DMk6zr1mfszjuJ+7ruSV 8NoacDulCGfWCcN1ZTYbuoPm1k6/7egxRpXkAzaE/fIMsP3lMVl7/TShKPoX3madHwKB DGbA== X-Gm-Message-State: APjAAAVRwdxiVnGwJ4jllG9q0i3n76a777lJIF9mML7YpZWVBDRixvv5 t/jpv7NZtMsYa6TKUoHD2z1jA946 X-Received: by 2002:adf:dd4a:: with SMTP id u10mr8602421wrm.322.1553057651452; Tue, 19 Mar 2019 21:54:11 -0700 (PDT) Received: from [172.31.96.190] ([195.39.71.253]) by smtp.gmail.com with ESMTPSA id j64sm952443wmb.36.2019.03.19.21.54.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Mar 2019 21:54:10 -0700 (PDT) Subject: Re: [PATCH v4] net: mlx5: Add a missing check on idr_find, free buf To: Aditya Pakki Cc: kjlu@umn.edu, Boris Pismenny , Saeed Mahameed , Leon Romanovsky , "David S. Miller" , Ilya Lesokhin , Wei Yongjun , netdev@vger.kernel.org, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org References: <20190319214244.20212-1-pakki001@umn.edu> From: Eric Dumazet Message-ID: Date: Tue, 19 Mar 2019 21:54:10 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20190319214244.20212-1-pakki001@umn.edu> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/19/2019 02:42 PM, Aditya Pakki wrote: > idr_find() can return a NULL value to 'flow' which is used without a > check. The patch adds a check to avoid potential NULL pointer dereference. > > In case of mlx5_fpga_sbu_conn_sendmsg() failure, free buf allocated > using kzalloc. > > Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines") > --- > v3: Reorder buf allocations and flow check. > v2: failure to return in case of flow failure. > v1: Failed to free buf in case of flow failure. > > Signed-off-by: Aditya Pakki > --- > drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c > index 5cf5f2a9d51f..8de64e88c670 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c > @@ -217,15 +217,21 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, > void *cmd; > int ret; > > + rcu_read_lock(); > + flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); > + rcu_read_unlock(); This looks suspect (even before your patch) What prevents flow from disappearing after this rcu_read_lock() ? IMO your patch might prevent a NULL deref, but not use-after-free. > + > + if (!flow) { > + WARN_ONCE(1, "Received NULL pointer for handle\n"); > + return -EINVAL; > + } > + > buf = kzalloc(size, GFP_ATOMIC); > if (!buf) > return -ENOMEM; > > cmd = (buf + 1); > > - rcu_read_lock(); > - flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); > - rcu_read_unlock(); > mlx5_fpga_tls_flow_to_cmd(flow, cmd); > > MLX5_SET(tls_cmd, cmd, swid, ntohl(handle)); > @@ -238,6 +244,8 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, > buf->complete = mlx_tls_kfree_complete; > > ret = mlx5_fpga_sbu_conn_sendmsg(mdev->fpga->tls->conn, buf); > + if (ret < 0) > + kfree(buf); > > return ret; > } >