Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7254621rdb;
        Wed, 3 Jan 2024 09:23:16 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHCIXKxw8BzI6xur+ufvj5ebG4+R+kEj36gaEo9xbCnzkV8afAuULFO2kF1iqdmLjKZjmRj
X-Received: by 2002:a05:6a20:7fa2:b0:194:deaa:3f06 with SMTP id d34-20020a056a207fa200b00194deaa3f06mr1666391pzj.6.1704302595912;
        Wed, 03 Jan 2024 09:23:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704302595; cv=none;
        d=google.com; s=arc-20160816;
        b=I1gR0WxmtaIfPo3Pk0c1e63UYAjzFf9aLOyaeywGUC+CpQNfIddi6wbO1/DUIqZZ8w
         4wadUKS4+mNl6X+S2Y1d8W3YZrkBPyv1C5l6lOVxy7JYuwrIN6Rn/Hrrqt8prxQbKz8C
         /ZrxqyNCHL5okDCIubP6XGW/fQKRtMCjHcHhHddL2e/Yia8s0sfQinlRXFlQ7GsrRgLk
         OO9fvD+1NBpVi5HsmLy0uWtRs/iR0RmFY35xsjc8Kk065G7vQUz4lVG6L3FYVz6Cgcs2
         G6go9UK7PkWCqnIeGgffaSHtGYkjXEdmxDAvJyNIYuupbzV4r2szz2cNxx8eQhDr5eld
         x8bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=7IJXLEyTt539XVZLnqOts4cZK0xDDnw78vyNCFreT4Y=;
        fh=9zqRx+GNpScMPCWDco+LS9Ydp9CYDADAb+HYhJ22Ri0=;
        b=xRde9IY2znhw2QngGPttk5PvMDONzZv2hUMSXcrY8lKoHD/Rqh6tzOB9nZyV3hkkoa
         LDFzyClRJyu87Uo4qkS/LbF/3YextqQQK6FZuGypOQbTTSWWAW7vyYuP0xHIa31Ewk3x
         Xe2ARUasBYPfQVjDjDAK+WAC1SkkkZ6z3mK/4AhMJh73o/1PbZzmevk4DojMT3/zxfkW
         rVx0BN4Xk5Qzs5w7j4FWd/II15W0eh7lPZoavFl5tltVgBpQom+1X8MPeemdDHoxu20V
         rUqa25LJIxW9fmSnAnjd6YQKpX1GU86u+fK6igGzlRVqWiJVz/2PtJ8tFvrF2uvMyBQL
         9pOw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=id+Jtz1l;
       spf=pass (google.com: domain of linux-kernel+bounces-15797-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15797-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-15797-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id bj19-20020a056a02019300b005be00224982si23575047pgb.381.2024.01.03.09.23.15
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Jan 2024 09:23:15 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-15797-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=id+Jtz1l;
       spf=pass (google.com: domain of linux-kernel+bounces-15797-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15797-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 87A54B22A81
	for <linux.lists.archive@gmail.com>; Wed,  3 Jan 2024 17:23:14 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E4B3C1C2A3;
	Wed,  3 Jan 2024 17:23:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="id+Jtz1l"
X-Original-To: linux-kernel@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1409F1C283;
	Wed,  3 Jan 2024 17:22:59 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 49332C433C8;
	Wed,  3 Jan 2024 17:22:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1704302579;
	bh=3iyOZymBQYPfh3A81OW/8BHqC2kwA+1c8I7WqYrHYY8=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=id+Jtz1laHJDT6jC/h8FzAg0YKDKd0ybFlwNZ0ZusovfviIq9YSUjmSOsw6H7w9mA
	 cE0hmYXoqQHfAnFSnJ503UZnBguSbdBHrWYc6Y9K2X5jn2w59zLnDoBwxUkWQQ+mBH
	 6rKLpvQfups/h61P3D3gmJbSbOBHU7wDW7LCk5M0wZ83pjKo1PxIsafk6q6w9cROmm
	 dZME5g/+WiX+Qd5SQQp52DMNwDO8wfZgu3xO4DdxxX/HN7QzfHSuzGNAtl+dJmb4Ls
	 380GNdSq9I2cUl8bZ3+FwUwQqIFlKwnbnPloQCQScW+EeEiA0uRDoHKdFC94fabzCi
	 RD5jwsd1yMdLg==
Date: Wed, 3 Jan 2024 17:22:54 +0000
From: Simon Horman <horms@kernel.org>
To: Zhipeng Lu <alexious@zju.edu.cn>
Cc: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Maor Gottlieb <maorg@mellanox.com>, netdev@vger.kernel.org,
	linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net/mlx5e: fix a double-free in arfs_create_groups
Message-ID: <20240103172254.GB31813@kernel.org>
References: <20231224081348.3535146-1-alexious@zju.edu.cn>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20231224081348.3535146-1-alexious@zju.edu.cn>

On Sun, Dec 24, 2023 at 04:13:48PM +0800, Zhipeng Lu wrote:
> When `in` allocated by kvzalloc fails, arfs_create_groups will free
> ft->g and return an error. However, arfs_create_table, the only caller of
> arfs_create_groups, will hold this error and call to
> mlx5e_destroy_flow_table, in which the ft->g will be freed again.
> 
> Fixes: 1cabe6b0965e ("net/mlx5e: Create aRFS flow tables")
> Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>

Thanks,

I agree this addresses the issue that you describe.
And as a minimal fix it looks good.

Reviewed-by: Simon Horman <horms@kernel.org>

However, I would like to suggest that some clean-up work could
take place as a follow-up.

I think that the error handling in this area of the code
is rather fragile. This is because initialisation is not necessarily
unwound on error within the function that initialisation occurs.

I think it would be better if arfs_create_groups():

1. Released allocates resources it allocates, including ft->g and
   elements of ft->g, on error.
2. This was achieved by using a goto unwind ladder.
3. The caller treated ft->g as uninitialised if
   arfs_create_groups fails.

Likewise, I think that:

* arfs_create_groups, should initialise ft->num_groups

And further, logic similar to the above should guide
how arfs_create_table() initialises ft->t and cleans it
up on error.

I did not look at the code beyond the scope described above.
But the above are general principles that may well apply in
other nearby code too.

...