from:"Xin Xiong"

[PATCH v2] net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq

2020-07-30 Thread Xin Xiong

The function invokes bpf_prog_inc(), which increases the reference
count of a bpf_prog object "rq->xdp_prog" if the object isn't NULL.

The refcount leak issues take place in two error handling paths. When
either mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
simply returns the error code and forgets to drop the reference count
increased earlier, causing a reference count leak of "rq->xdp_prog".

Fix this issue by jumping to the error handling path err_rq_wq_destroy
while either function fails.

Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ
types")

Signed-off-by: Xin Xiong 
Signed-off-by: Xiyu Yang 
Signed-off-by: Xin Tan 
---
v1 -> v2:
- Amended parts of wording to be better understood
- Added Fixes tag
---
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c 
b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index a836a02a2116..8e1b1ab416d8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_ll_create(mdev, >wq, rqc_wq, >mpwqe.wq,
>wq_ctrl);
if (err)
-   return err;
+   goto err_rq_wq_destroy;
 
rq->mpwqe.wq.db = >mpwqe.wq.db[MLX5_RCV_DBR];
 
@@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_cyc_create(mdev, >wq, rqc_wq, >wqe.wq,
 >wq_ctrl);
if (err)
-   return err;
+   goto err_rq_wq_destroy;
 
rq->wqe.wq.db = >wqe.wq.db[MLX5_RCV_DBR];
 
-- 
2.25.1

[PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

2020-07-29 Thread Xin Xiong

atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
reference of atm_dev with increased refcount or NULL if fails.

The refcount leaks issues occur in two error handling paths. If
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
returns 0 without decreasing the refcount kept by a local variable,
resulting in refcount leaks.

Fix the issue by adding atm_dev_put() before returning 0 both when
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.

Signed-off-by: Xin Xiong 
Signed-off-by: Xiyu Yang 
Signed-off-by: Xin Tan 
---
 drivers/atm/atmtcp.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
index d9fd70280482..7f814da3c2d0 100644
--- a/drivers/atm/atmtcp.c
+++ b/drivers/atm/atmtcp.c
@@ -433,9 +433,15 @@ static int atmtcp_remove_persistent(int itf)
return -EMEDIUMTYPE;
}
dev_data = PRIV(dev);
-   if (!dev_data->persist) return 0;
+   if (!dev_data->persist) {
+   atm_dev_put(dev);
+   return 0;
+   }
dev_data->persist = 0;
-   if (PRIV(dev)->vcc) return 0;
+   if (PRIV(dev)->vcc) {
+   atm_dev_put(dev);
+   return 0;
+   }
kfree(dev_data);
atm_dev_put(dev);
atm_dev_deregister(dev);
-- 
2.25.1

[PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq

2020-07-29 Thread Xin Xiong

The function invokes bpf_prog_inc(), which increases the refcount of a
bpf_prog object "rq->xdp_prog" if the object isn't NULL.

The refcount leak issues take place in two error handling paths. When
mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function simply
returns the error code and forgets to drop the refcount increased
earlier, causing a refcount leak of "rq->xdp_prog".

Fix this issue by jumping to the error handling path err_rq_wq_destroy
when either function fails.

Signed-off-by: Xin Xiong 
Signed-off-by: Xiyu Yang 
Signed-off-by: Xin Tan 
---
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c 
b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index a836a02a2116..8e1b1ab416d8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -419,7 +419,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_ll_create(mdev, >wq, rqc_wq, >mpwqe.wq,
>wq_ctrl);
if (err)
-   return err;
+   goto err_rq_wq_destroy;
 
rq->mpwqe.wq.db = >mpwqe.wq.db[MLX5_RCV_DBR];
 
@@ -470,7 +470,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
err = mlx5_wq_cyc_create(mdev, >wq, rqc_wq, >wqe.wq,
 >wq_ctrl);
if (err)
-   return err;
+   goto err_rq_wq_destroy;
 
rq->wqe.wq.db = >wqe.wq.db[MLX5_RCV_DBR];
 
-- 
2.25.1

[PATCH] tty: fix pid refcount leak in tty_signal_session_leader

2020-07-25 Thread Xin Xiong

In the loop, every time when p->signal->leader is true, the function
tty_signal_session_leader() will invoke get_pid() and return a
reference of tty->pgrp with increased refcount to the local variable
tty_pgrp or return NULL if it fails. After finishing the loop, the
function invokes put_pid() for only once, decreasing the refcount that
tty_pgrp keeps.

Refcount leaks may occur when the scenario that p->signal->leader is
true happens more than once. In this assumption, if the above scenario
happens n times in the loop, the function forgets to decrease the
refcount for n-1 times, which causes refcount leaks.

Fix the issue by decreasing the current refcount of the local variable
tty_pgrp before assigning new objects to it.

Signed-off-by: Xiyu Yang 
Signed-off-by: Xin Tan 
Signed-off-by: Xin Xiong 
---
 drivers/tty/tty_jobctrl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c
index f8ed50a16848..9e6bf693ade1 100644
--- a/drivers/tty/tty_jobctrl.c
+++ b/drivers/tty/tty_jobctrl.c
@@ -212,6 +212,8 @@ int tty_signal_session_leader(struct tty_struct *tty, int 
exit_session)
__group_send_sig_info(SIGCONT, SEND_SIG_PRIV, p);
put_pid(p->signal->tty_old_pgrp);  /* A noop */
spin_lock(>ctrl_lock);
+   if (tty_pgrp)
+   put_pid(tty_pgrp);
tty_pgrp = get_pid(tty->pgrp);
if (tty->pgrp)
p->signal->tty_old_pgrp = get_pid(tty->pgrp);
-- 
2.25.1

[PATCH] fork: fix pid refcount leaks when destroying file

2020-07-25 Thread Xin Xiong

When clone_flags & CLONE_PIDFD is true,the function creates a new file
object called pidfile,and invokes get_pid(),which increases the refcnt
of pid for pidfile to hold.

The reference counting issues take place in the error handling paths.
When error occurs after the construction of pidfile, the function only
invokes fput() to destroy pidfile, in which the increased refcount
won't be decreased, resulting in a refcount leak.

Fix this issue by adding put_pid() in the error handling path
bad_fork_put_pidfd.

Signed-off-by: Xiyu Yang 
Signed-off-by: Xin Tan 
Signed-off-by: Xin Xiong 
---
 kernel/fork.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/fork.c b/kernel/fork.c
index 142b23645d82..7cbfb2c4fce3 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2319,6 +2319,7 @@ static __latent_entropy struct task_struct *copy_process(
 bad_fork_put_pidfd:
if (clone_flags & CLONE_PIDFD) {
fput(pidfile);
+   put_pid(pid);
put_unused_fd(pidfd);
}
 bad_fork_free_pid:
-- 
2.25.1

[PATCH] drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi

2020-07-19 Thread Xin Xiong

drm_dp_mst_allocate_vcpi() invokes
drm_dp_mst_topology_get_port_validated(), which increases the refcount
of the "port".

These reference counting issues take place in two exception handling
paths separately. Either when “slots” is less than 0 or when
drm_dp_init_vcpi() returns a negative value, the function forgets to
reduce the refcnt increased drm_dp_mst_topology_get_port_validated(),
which results in a refcount leak.

Fix these issues by pulling up the error handling when "slots" is less
than 0, and calling drm_dp_mst_topology_put_port() before termination
when drm_dp_init_vcpi() returns a negative value.

Signed-off-by: Xiyu Yang 
Signed-off-by: Xin Tan 
Signed-off-by: Xin Xiong 
---
 drivers/gpu/drm/drm_dp_mst_topology.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c 
b/drivers/gpu/drm/drm_dp_mst_topology.c
index 1e26b89628f9..97b48b531ec6 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -4261,11 +4261,11 @@ bool drm_dp_mst_allocate_vcpi(struct 
drm_dp_mst_topology_mgr *mgr,
 {
int ret;
 
-   port = drm_dp_mst_topology_get_port_validated(mgr, port);
-   if (!port)
+   if (slots < 0)
return false;
 
-   if (slots < 0)
+   port = drm_dp_mst_topology_get_port_validated(mgr, port);
+   if (!port)
return false;
 
if (port->vcpi.vcpi > 0) {
@@ -4281,6 +4281,7 @@ bool drm_dp_mst_allocate_vcpi(struct 
drm_dp_mst_topology_mgr *mgr,
if (ret) {
DRM_DEBUG_KMS("failed to init vcpi slots=%d max=63 ret=%d\n",
  DIV_ROUND_UP(pbn, mgr->pbn_div), ret);
+   drm_dp_mst_topology_put_port(port);
goto out;
}
DRM_DEBUG_KMS("initing vcpi for pbn=%d slots=%d\n",
-- 
2.25.1

[PATCH v2] net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq

[PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

[PATCH] net/mlx5e: fix bpf_prog refcnt leaks in mlx5e_alloc_rq

[PATCH] tty: fix pid refcount leak in tty_signal_session_leader

[PATCH] fork: fix pid refcount leaks when destroying file

[PATCH] drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi

6 matches

Site Navigation

Mail list logo

Footer information