The function mlx5_query_nic_vport_qkey_viol_cntr() calls the functuion
mlx5_query_nic_vport_context() but does not check its return value. This
could lead to undefined behavior if the query fails. A proper
implementation can be found in mlx5_nic_vport_query_local_lb().

Add error handling for mlx5_query_nic_vport_context(). If it fails, free
the out buffer via kvfree() and return error code.

Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields")
Cc: stable@vger.kernel.org # v4.5
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/net/ethernet/mellanox/mlx5/core/vport.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
index 0d5f750faa45..276b162ccf18 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
@@ -518,20 +518,23 @@ int mlx5_query_nic_vport_qkey_viol_cntr(struct mlx5_core_dev *mdev,
 					u16 *qkey_viol_cntr)
 {
 	u32 *out;
-	int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out);
+	int ret, outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out);
 
 	out = kvzalloc(outlen, GFP_KERNEL);
 	if (!out)
 		return -ENOMEM;
 
-	mlx5_query_nic_vport_context(mdev, 0, out);
+	ret = mlx5_query_nic_vport_context(mdev, 0, out);
+	if (ret)
+		goto out;
 
 	*qkey_viol_cntr = MLX5_GET(query_nic_vport_context_out, out,
 				   nic_vport_context.qkey_violation_counter);
-
+	ret = 0;
+out:
 	kvfree(out);
 
-	return 0;
+	return ret;
 }
 EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_qkey_viol_cntr);
 
-- 
2.42.0.windows.2

On Mon, May 19, 2025 at 11:40:43AM +0800, Wentao Liang wrote:
> The function mlx5_query_nic_vport_qkey_viol_cntr() calls the functuion
> mlx5_query_nic_vport_context() but does not check its return value. This
> could lead to undefined behavior if the query fails. A proper
> implementation can be found in mlx5_nic_vport_query_local_lb().
> 
> Add error handling for mlx5_query_nic_vport_context(). If it fails, free
> the out buffer via kvfree() and return error code.
> 
> Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields")
> Cc: stable@vger.kernel.org # v4.5
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/vport.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
> index 0d5f750faa45..276b162ccf18 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
> @@ -518,20 +518,23 @@ int mlx5_query_nic_vport_qkey_viol_cntr(struct mlx5_core_dev *mdev,
>  					u16 *qkey_viol_cntr)
>  {
>  	u32 *out;
> -	int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out);
> +	int ret, outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out);

You can fix RCT here.

>  
>  	out = kvzalloc(outlen, GFP_KERNEL);
>  	if (!out)
>  		return -ENOMEM;
>  
> -	mlx5_query_nic_vport_context(mdev, 0, out);
> +	ret = mlx5_query_nic_vport_context(mdev, 0, out);
> +	if (ret)
> +		goto out;
>  
>  	*qkey_viol_cntr = MLX5_GET(query_nic_vport_context_out, out,
>  				   nic_vport_context.qkey_violation_counter);
> -
> +	ret = 0;

ret is already 0 here, no need to reassign it.

> +out:
>  	kvfree(out);
>  
> -	return 0;
> +	return ret;
>  }
>  EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_qkey_viol_cntr);
>  
> -- 
> 2.42.0.windows.2