Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3964470ybl; Mon, 13 Jan 2020 05:47:46 -0800 (PST) X-Google-Smtp-Source: APXvYqwwo3+9W88bWhNn8uRgJIrfz2qagUNZBxxPA8RyWXNVz1kJZdLh+uJDUHV1vIhJHLqDtL1+ X-Received: by 2002:aca:33d5:: with SMTP id z204mr12044075oiz.120.1578923266006; Mon, 13 Jan 2020 05:47:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578923265; cv=none; d=google.com; s=arc-20160816; b=yRXe0vuawS8Lq3zknHiSv+GrB9Jqyl7XRcGnvBRc+HG0IcXvg98/LkqoMoqgzvgiZU PIj4UTcjq3ZCP2FXqZ6w0MuCz4gJGRK6n59WOrvwvSsFGD+J6S+LpT8Ku/Cp5N1pfC8x uy4kwsFVh5D931cUYkkNDDZa7PWvvdytDVWmYBmLOKu4iMy/j+ySQDMCZqUYcDP8j16v dHEXSsfjc0afMuXvBVlgiBuS581J8V5tkckRpPeaHMTDXSfCGXWudYWlcarhG9943KuO GB86bpVwOs9IoTdDu569DRkeBkccUHyMDWW4Vsu1lZSgNNLGeObCltlGTfxOoDCofkv7 BbPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=gOU3ypUA+dZ1F0eJ92AdSOKl3Q3p/dgw4zQaLQF4nFs=; b=oXLGnBmnWCiKiRpyG9AnSRjpSwe7G1Ta9NNSScTuSe6DJGC4GRLtehFXVt1bVZv13H sq8bsXFDgWy6DuI3EZKUib+CJQMe2N7emzzeSys0OLIhjvufYGvUPuh4v6Hf58R9TBzu ZNQCn6vnUol2FlN/I+KkwjMUTzCLGgf+ciq/gVrPg7+ORpN9bBv0jXycW2rJECDkdMl5 6RfjubmZyzh0o0R3OazsidEvLSKIbYwSadQiGIVsajzim+CCMgHcX4I0WFGP+d2/nr5T zpnZDvs6jMbzD+Q9D+rU7MOfWuvkx6PuZ+yjEEGrJgOy2dtf4yvJg7I9cNfpn6Pj4cM5 LnzA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f60si6862577otf.119.2020.01.13.05.47.34; Mon, 13 Jan 2020 05:47:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728820AbgAMNqU (ORCPT + 99 others); Mon, 13 Jan 2020 08:46:20 -0500 Received: from relay12.mail.gandi.net ([217.70.178.232]:39949 "EHLO relay12.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726074AbgAMNqU (ORCPT ); Mon, 13 Jan 2020 08:46:20 -0500 Received: from nexussix.ar.arcelik (unknown [84.44.14.226]) (Authenticated sender: cengiz@kernel.wtf) by relay12.mail.gandi.net (Postfix) with ESMTPSA id 01116200012; Mon, 13 Jan 2020 13:46:10 +0000 (UTC) From: Cengiz Can To: Leon Romanovsky , Saeed Mahameed , Yevgeny Kliteynik , Alex Vesker , Erez Shitrit , Tariq Toukan , "David S. Miller" , Jakub Kicinski Cc: netdev@vger.kernel.org, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, Cengiz Can Subject: [PATCH] net: mellanox: prevent resource leak on htbl Date: Mon, 13 Jan 2020 16:44:16 +0300 Message-Id: <20200113134415.86110-1-cengiz@kernel.wtf> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org According to a Coverity static analysis tool, `drivers/net/mellanox/mlx5/core/steering/dr_rule.c#63` leaks a `struct mlx5dr_ste_htbl *` named `new_htbl` while returning from `dr_rule_create_collision_htbl` function. A annotated snippet of the possible resource leak follows: ``` static struct mlx5dr_ste * dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher, struct mlx5dr_matcher_rx_tx *nic_matcher, u8 *hw_ste) /* ... */ /* ... */ /* Storage is returned from allocation function mlx5dr_ste_htbl_alloc. */ /* Assigning: new_htbl = storage returned from mlx5dr_ste_htbl_alloc(..) */ new_htbl = mlx5dr_ste_htbl_alloc(dmn->ste_icm_pool, DR_CHUNK_SIZE_1, MLX5DR_STE_LU_TYPE_DONT_CARE, 0); /* Condition !new_htbl, taking false branch. */ if (!new_htbl) { mlx5dr_dbg(dmn, "Failed allocating collision table\n"); return NULL; } /* One and only entry, never grows */ ste = new_htbl->ste_arr; mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr); /* Resource new_htbl is not freed or pointed-to in mlx5dr_htbl_get */ mlx5dr_htbl_get(new_htbl); /* Variable new_htbl going out of scope leaks the storage it points to. */ return ste; ``` There's a caller of this function which does refcounting and free'ing by itself but that function also skips free'ing `new_htbl` due to missing jump to error label. (referring to `dr_rule_create_collision_entry lines 75-77. They don't jump to `free_tbl`) Added a `kfree(new_htbl)` just before returning `ste` pointer to fix the leak. Signed-off-by: Cengiz Can --- This might be totally breaking the refcounting logic in the file so please provide any feedback so I can evolve this into something more suitable. For the record, Coverity scan id is CID 1457773. drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c index e4cff7abb348..047b403c61db 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c @@ -60,6 +60,8 @@ dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher, mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr); mlx5dr_htbl_get(new_htbl); + kfree(new_htbl); + return ste; } -- 2.24.1