| Message ID | 20201221085031.6591-1-dinghao.liu@zju.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | net/mlx5e: Fix two double free cases | expand |
On Mon, Dec 21, 2020 at 04:50:31PM +0800, Dinghao Liu wrote: > mlx5e_create_ttc_table_groups() frees ft->g on failure of > kvzalloc(), but such failure will be caught by its caller > in mlx5e_create_ttc_table() and ft->g will be freed again > in mlx5e_destroy_flow_table(). The same issue also occurs > in mlx5e_create_ttc_table_groups(). > > Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> > --- > drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) I'm not thrilled to see release in the error flow that will be done in the different function. The missing piece is "ft->g = NULL" after kfree(). And also fixes lines are missing in all your patches. Thanks
> On Mon, Dec 21, 2020 at 04:50:31PM +0800, Dinghao Liu wrote: > > mlx5e_create_ttc_table_groups() frees ft->g on failure of > > kvzalloc(), but such failure will be caught by its caller > > in mlx5e_create_ttc_table() and ft->g will be freed again > > in mlx5e_destroy_flow_table(). The same issue also occurs > > in mlx5e_create_ttc_table_groups(). > > > > Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> > > --- > > drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++------ > > 1 file changed, 2 insertions(+), 6 deletions(-) > > I'm not thrilled to see release in the error flow that will be done in > the different function. The missing piece is "ft->g = NULL" after kfree(). > > And also fixes lines are missing in all your patches. > Thank you for your advice! I will resend a new patch soon. Regards, Dinghao
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c index fa8149f6eb08..63323c5b6a50 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c @@ -940,10 +940,8 @@ static int mlx5e_create_ttc_table_groups(struct mlx5e_ttc_table *ttc, if (!ft->g) return -ENOMEM; in = kvzalloc(inlen, GFP_KERNEL); - if (!in) { - kfree(ft->g); + if (!in) return -ENOMEM; - } /* L4 Group */ mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria); @@ -1085,10 +1083,8 @@ static int mlx5e_create_inner_ttc_table_groups(struct mlx5e_ttc_table *ttc) if (!ft->g) return -ENOMEM; in = kvzalloc(inlen, GFP_KERNEL); - if (!in) { - kfree(ft->g); + if (!in) return -ENOMEM; - } /* L4 Group */ mc = MLX5_ADDR_OF(create_flow_group_in, in, match_criteria);
mlx5e_create_ttc_table_groups() frees ft->g on failure of kvzalloc(), but such failure will be caught by its caller in mlx5e_create_ttc_table() and ft->g will be freed again in mlx5e_destroy_flow_table(). The same issue also occurs in mlx5e_create_ttc_table_groups(). Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> --- drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)