1. Patchew
  2. linux
  3. [PATCH net 0/2] octeontx2-pf: Fix several bugs in exception paths
  4. View patch

[PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs()

Ziyang Xuan posted 2 patches 2 years, 9 months ago
[PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs()
Posted by Ziyang Xuan 2 years, 9 months ago 
otx2_sq_free_sqbs() will be called twice when goto "err_free_nix_queues"
label in otx2_init_hw_resources(). The first calling is within
otx2_free_sq_res() at "err_free_nix_queues" label, and the second calling
is at later "err_free_sq_ptrs" label.

In otx2_sq_free_sqbs(), If sq->sqb_ptrs[i] is not 0, the memory page it
points to will be freed, and sq->sqb_ptrs[i] do not be assigned 0 after
memory page be freed. If otx2_sq_free_sqbs() is called twice, the memory
page pointed by sq->sqb_ptrs[i] will be freeed twice. To fix the bug,
assign 0 to sq->sqb_ptrs[i] after memory page be freed.

Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
---
 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
index 9e10e7471b88..5a25fe51d102 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
@@ -1146,6 +1146,7 @@ void otx2_sq_free_sqbs(struct otx2_nic *pfvf)
 					     DMA_FROM_DEVICE,
 					     DMA_ATTR_SKIP_CPU_SYNC);
 			put_page(virt_to_page(phys_to_virt(pa)));
+			sq->sqb_ptrs[sqb] = 0;
 		}
 		sq->sqb_count = 0;
 	}
-- 
2.25.1
Re: [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs()
Posted by Paolo Abeni 2 years, 9 months ago 
Hello,

On Fri, 2022-11-25 at 15:45 +0800, Ziyang Xuan wrote:
> otx2_sq_free_sqbs() will be called twice when goto "err_free_nix_queues"
> label in otx2_init_hw_resources(). The first calling is within
> otx2_free_sq_res() at "err_free_nix_queues" label, and the second calling
> is at later "err_free_sq_ptrs" label.
> 
> In otx2_sq_free_sqbs(), If sq->sqb_ptrs[i] is not 0, the memory page it
> points to will be freed, and sq->sqb_ptrs[i] do not be assigned 0 after
> memory page be freed. If otx2_sq_free_sqbs() is called twice, the memory
> page pointed by sq->sqb_ptrs[i] will be freeed twice. To fix the bug,
> assign 0 to sq->sqb_ptrs[i] after memory page be freed.
> 
> Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
> ---
>  drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
> index 9e10e7471b88..5a25fe51d102 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
> @@ -1146,6 +1146,7 @@ void otx2_sq_free_sqbs(struct otx2_nic *pfvf)
>  					     DMA_FROM_DEVICE,
>  					     DMA_ATTR_SKIP_CPU_SYNC);
>  			put_page(virt_to_page(phys_to_virt(pa)));
> +			sq->sqb_ptrs[sqb] = 0;

The above looks not needed...
>  		}
>  		sq->sqb_count = 0;

... as this will prevent the next invocation of otx2_sq_free_sqbs()
from traversing and freeing any sq->sqb_ptrs[] element.

Cheers,

Paolo
>  	}
Re: [PATCH net 2/2] octeontx2-pf: Fix a potential double free in otx2_sq_free_sqbs()
Posted by Ziyang Xuan (William) 2 years, 9 months ago 
> Hello,
> 
> On Fri, 2022-11-25 at 15:45 +0800, Ziyang Xuan wrote:
>> otx2_sq_free_sqbs() will be called twice when goto "err_free_nix_queues"
>> label in otx2_init_hw_resources(). The first calling is within
>> otx2_free_sq_res() at "err_free_nix_queues" label, and the second calling
>> is at later "err_free_sq_ptrs" label.
>>
>> In otx2_sq_free_sqbs(), If sq->sqb_ptrs[i] is not 0, the memory page it
>> points to will be freed, and sq->sqb_ptrs[i] do not be assigned 0 after
>> memory page be freed. If otx2_sq_free_sqbs() is called twice, the memory
>> page pointed by sq->sqb_ptrs[i] will be freeed twice. To fix the bug,
>> assign 0 to sq->sqb_ptrs[i] after memory page be freed.
>>
>> Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
>> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
>> ---
>>  drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
>> index 9e10e7471b88..5a25fe51d102 100644
>> --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
>> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
>> @@ -1146,6 +1146,7 @@ void otx2_sq_free_sqbs(struct otx2_nic *pfvf)
>>  					     DMA_FROM_DEVICE,
>>  					     DMA_ATTR_SKIP_CPU_SYNC);
>>  			put_page(virt_to_page(phys_to_virt(pa)));
>> +			sq->sqb_ptrs[sqb] = 0;
> 
> The above looks not needed...
>>  		}
>>  		sq->sqb_count = 0;
> 
> ... as this will prevent the next invocation of otx2_sq_free_sqbs()
> from traversing and freeing any sq->sqb_ptrs[] element.

Yes, you are right. I did pay much attention to sq->sqb_ptrs[],
and omitted the for loop condition.

Thank you!

> 
> Cheers,
> 
> Paolo
>>  	}
> 
> 
> .
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.