Re: [PATCH v3 1/1] net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()
From: Michal Swiatkowski
Date: Fri Apr 11 2025 - 01:35:03 EST
On Fri, Apr 11, 2025 at 10:29:16AM +0800, Henry Martin wrote:
> Add NULL check for mlx5_get_flow_namespace() returns in
> mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent
> NULL pointer dereference.
>
> Fixes: 137f3d50ad2a ("net/mlx5: Support matching on l4_type for ttc_table")
> Signed-off-by: Henry Martin <bsdhenrymartin@xxxxxxxxx>
> ---
> V2 -> V3: No functional changes, just gathering the patches in a series.
> V1 -> V2: Add a empty line after the return statement.
>
> drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> index eb3bd9c7f66e..18cc6960a5c1 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/fs_ttc.c
> @@ -655,6 +655,9 @@ struct mlx5_ttc_table *mlx5_create_inner_ttc_table(struct mlx5_core_dev *dev,
> }
>
> ns = mlx5_get_flow_namespace(dev, params->ns_type);
> + if (!ns)
> + return ERR_PTR(-EOPNOTSUPP);
There is ttc = kvzalloc() before. I think you should call kvfree(ttc)
before returning. It looks like the same leak is already when
params->ns_type is unknown.
> +
> groups = use_l4_type ? &inner_ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
> &inner_ttc_groups[TTC_GROUPS_DEFAULT];
>
> @@ -728,6 +731,9 @@ struct mlx5_ttc_table *mlx5_create_ttc_table(struct mlx5_core_dev *dev,
> }
>
> ns = mlx5_get_flow_namespace(dev, params->ns_type);
> + if (!ns)
> + return ERR_PTR(-EOPNOTSUPP);
The same here.
> +
> groups = use_l4_type ? &ttc_groups[TTC_GROUPS_USE_L4_TYPE] :
> &ttc_groups[TTC_GROUPS_DEFAULT];
>
> --
> 2.34.1