Re: [PATCH] net: mellanox: prevent resource leak on htbl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2020-01-13 17:49, Alex Vesker wrote:
On 1/13/2020 3:46 PM, Cengiz Can wrote:
According to a Coverity static analysis tool,
`drivers/net/mellanox/mlx5/core/steering/dr_rule.c#63` leaks a
`struct mlx5dr_ste_htbl *` named `new_htbl` while returning from
`dr_rule_create_collision_htbl` function.

A annotated snippet of the possible resource leak follows:

```
static struct mlx5dr_ste *
dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher,
struct mlx5dr_matcher_rx_tx *nic_matcher,
                              u8 *hw_ste)
   /* ... */
   /* ... */

/* Storage is returned from allocation function mlx5dr_ste_htbl_alloc. */ /* Assigning: new_htbl = storage returned from mlx5dr_ste_htbl_alloc(..) */
        new_htbl = mlx5dr_ste_htbl_alloc(dmn->ste_icm_pool,
                                         DR_CHUNK_SIZE_1,
                                         MLX5DR_STE_LU_TYPE_DONT_CARE,
                                         0);
   /* Condition !new_htbl, taking false branch. */
        if (!new_htbl) {
mlx5dr_dbg(dmn, "Failed allocating collision table\n");
                return NULL;
        }

        /* One and only entry, never grows */
        ste = new_htbl->ste_arr;
mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr); /* Resource new_htbl is not freed or pointed-to in mlx5dr_htbl_get */
        mlx5dr_htbl_get(new_htbl);

/* Variable new_htbl going out of scope leaks the storage it points to. */
        return ste;
```

There's a caller of this function which does refcounting and free'ing by
itself but that function also skips free'ing `new_htbl` due to missing
jump to error label. (referring to `dr_rule_create_collision_entry lines
75-77. They don't jump to `free_tbl`)

Added a `kfree(new_htbl)` just before returning `ste` pointer to fix the
leak.

Signed-off-by: Cengiz Can <cengiz@xxxxxxxxxx>
---

This might be totally breaking the refcounting logic in the file so
please provide any feedback so I can evolve this into something more
suitable.

For the record, Coverity scan id is CID 1457773.

 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
index e4cff7abb348..047b403c61db 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
@@ -60,6 +60,8 @@ dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher, mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr);
 	mlx5dr_htbl_get(new_htbl);

+	kfree(new_htbl);
+
 	return ste;
 }

--
2.24.1


The fix looks incorrect to me.
The table is pointed by each ste in the ste_arr, ste->new_htbl and being
freed on mlx5dr_htbl_put.
We tested kmemleak a few days ago and came clean.
usually coverity is not wrong, but in this case I don't see the bug...

Hello Alex,

To my experience, the refcounting logic is complex and spread out to multiple files.

It might be a false positive on Coverity's side.

If it certainly sounds wrong, we can ignore this.

Thanks

--
Cengiz Can
@cengiz_io



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux