[PATCH 5.8 098/124] net: mvneta: fix double free of txq->buf

From: Greg Kroah-Hartman
Date: Mon Oct 12 2020 - 09:52:49 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.8 054/124] xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate"
Previous message: Greg Kroah-Hartman: "[PATCH 5.8 056/124] xfrm: clone whole liftime_cur structure in xfrm_do_migrate"
In reply to: Greg Kroah-Hartman: "[PATCH 5.8 056/124] xfrm: clone whole liftime_cur structure in xfrm_do_migrate"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.8 054/124] xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tom Rix <trix@xxxxxxxxxx>

[ Upstream commit f4544e5361da5050ff5c0330ceea095cb5dbdd72 ]

clang static analysis reports this problem:

drivers/net/ethernet/marvell/mvneta.c:3465:2: warning:
Attempt to free released memory
kfree(txq->buf);
^~~~~~~~~~~~~~~

When mvneta_txq_sw_init() fails to alloc txq->tso_hdrs,
it frees without poisoning txq->buf. The error is caught
in the mvneta_setup_txqs() caller which handles the error
by cleaning up all of the txqs with a call to
mvneta_txq_sw_deinit which also frees txq->buf.

Since mvneta_txq_sw_deinit is a general cleaner, all of the
partial cleaning in mvneta_txq_sw_deinit()'s error handling
is not needed.

Fixes: 2adb719d74f6 ("net: mvneta: Implement software TSO")
Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/ethernet/marvell/mvneta.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 7d5d9d34f4e47..69a234e83b8b7 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -3372,24 +3372,15 @@ static int mvneta_txq_sw_init(struct mvneta_port *pp,
txq->last_desc = txq->size - 1;

txq->buf = kmalloc_array(txq->size, sizeof(*txq->buf), GFP_KERNEL);
- if (!txq->buf) {
- dma_free_coherent(pp->dev->dev.parent,
- txq->size * MVNETA_DESC_ALIGNED_SIZE,
- txq->descs, txq->descs_phys);
+ if (!txq->buf)
return -ENOMEM;
- }

/* Allocate DMA buffers for TSO MAC/IP/TCP headers */
txq->tso_hdrs = dma_alloc_coherent(pp->dev->dev.parent,
txq->size * TSO_HEADER_SIZE,
&txq->tso_hdrs_phys, GFP_KERNEL);
- if (!txq->tso_hdrs) {
- kfree(txq->buf);
- dma_free_coherent(pp->dev->dev.parent,
- txq->size * MVNETA_DESC_ALIGNED_SIZE,
- txq->descs, txq->descs_phys);
+ if (!txq->tso_hdrs)
return -ENOMEM;
- }

/* Setup XPS mapping */
if (txq_number > 1)
--
2.25.1

Next message: Greg Kroah-Hartman: "[PATCH 5.8 054/124] xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate"
Previous message: Greg Kroah-Hartman: "[PATCH 5.8 056/124] xfrm: clone whole liftime_cur structure in xfrm_do_migrate"
In reply to: Greg Kroah-Hartman: "[PATCH 5.8 056/124] xfrm: clone whole liftime_cur structure in xfrm_do_migrate"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.8 054/124] xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]