Commit 3d67a507 authored by Aleksey Makarov's avatar Aleksey Makarov Committed by David S. Miller

net: thunderx: fix double free error

This patch fixes an error in memory allocation/freeing in
ThunderX PF driver.

I moved the allocation to the probe() function and made it managed.

>From the Colin's email:

While running static analysis on linux-next with CoverityScan I found 3
double free errors in the Cavium thunder driver.

The issue occurs on the err_disable_device: label of function nic_probe
when nic_free_lmacmem(nic) is called and a double free occurs on
nic->duplex, nic->link and nic->speed.  This occurs when nic_init_hw()
fails:

        /* Initialize hardware */
        err = nic_init_hw(nic);
        if (err)
                goto err_release_regions;

nic_init_hw() calls nic_get_hw_info() and this calls nic_free_lmacmem()
if any of the allocations fail. This free'ing occurs again by the call
to nic_free_lmacmem() on the err_release_regions exit path in nic_probe().
Reported-by: default avatarColin Ian King <colin.king@canonical.com>
Signed-off-by: default avatarAleksey Makarov <aleksey.makarov@cavium.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 86dabda4
...@@ -361,17 +361,8 @@ static void nic_set_lmac_vf_mapping(struct nicpf *nic) ...@@ -361,17 +361,8 @@ static void nic_set_lmac_vf_mapping(struct nicpf *nic)
} }
} }
static void nic_free_lmacmem(struct nicpf *nic) static void nic_get_hw_info(struct nicpf *nic)
{ {
kfree(nic->vf_lmac_map);
kfree(nic->link);
kfree(nic->duplex);
kfree(nic->speed);
}
static int nic_get_hw_info(struct nicpf *nic)
{
u8 max_lmac;
u16 sdevid; u16 sdevid;
struct hw_info *hw = nic->hw; struct hw_info *hw = nic->hw;
...@@ -419,41 +410,16 @@ static int nic_get_hw_info(struct nicpf *nic) ...@@ -419,41 +410,16 @@ static int nic_get_hw_info(struct nicpf *nic)
break; break;
} }
hw->tl4_cnt = MAX_QUEUES_PER_QSET * pci_sriov_get_totalvfs(nic->pdev); hw->tl4_cnt = MAX_QUEUES_PER_QSET * pci_sriov_get_totalvfs(nic->pdev);
/* Allocate memory for LMAC tracking elements */
max_lmac = hw->bgx_cnt * MAX_LMAC_PER_BGX;
nic->vf_lmac_map = kmalloc_array(max_lmac, sizeof(u8), GFP_KERNEL);
if (!nic->vf_lmac_map)
goto error;
nic->link = kmalloc_array(max_lmac, sizeof(u8), GFP_KERNEL);
if (!nic->link)
goto error;
nic->duplex = kmalloc_array(max_lmac, sizeof(u8), GFP_KERNEL);
if (!nic->duplex)
goto error;
nic->speed = kmalloc_array(max_lmac, sizeof(u32), GFP_KERNEL);
if (!nic->speed)
goto error;
return 0;
error:
nic_free_lmacmem(nic);
return -ENOMEM;
} }
#define BGX0_BLOCK 8 #define BGX0_BLOCK 8
#define BGX1_BLOCK 9 #define BGX1_BLOCK 9
static int nic_init_hw(struct nicpf *nic) static void nic_init_hw(struct nicpf *nic)
{ {
int i, err; int i;
u64 cqm_cfg; u64 cqm_cfg;
/* Get HW capability info */
err = nic_get_hw_info(nic);
if (err)
return err;
/* Enable NIC HW block */ /* Enable NIC HW block */
nic_reg_write(nic, NIC_PF_CFG, 0x3); nic_reg_write(nic, NIC_PF_CFG, 0x3);
...@@ -498,8 +464,6 @@ static int nic_init_hw(struct nicpf *nic) ...@@ -498,8 +464,6 @@ static int nic_init_hw(struct nicpf *nic)
cqm_cfg = nic_reg_read(nic, NIC_PF_CQM_CFG); cqm_cfg = nic_reg_read(nic, NIC_PF_CQM_CFG);
if (cqm_cfg < NICPF_CQM_MIN_DROP_LEVEL) if (cqm_cfg < NICPF_CQM_MIN_DROP_LEVEL)
nic_reg_write(nic, NIC_PF_CQM_CFG, NICPF_CQM_MIN_DROP_LEVEL); nic_reg_write(nic, NIC_PF_CQM_CFG, NICPF_CQM_MIN_DROP_LEVEL);
return 0;
} }
/* Channel parse index configuration */ /* Channel parse index configuration */
...@@ -1269,6 +1233,7 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) ...@@ -1269,6 +1233,7 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
{ {
struct device *dev = &pdev->dev; struct device *dev = &pdev->dev;
struct nicpf *nic; struct nicpf *nic;
u8 max_lmac;
int err; int err;
BUILD_BUG_ON(sizeof(union nic_mbx) > 16); BUILD_BUG_ON(sizeof(union nic_mbx) > 16);
...@@ -1278,10 +1243,8 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) ...@@ -1278,10 +1243,8 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
return -ENOMEM; return -ENOMEM;
nic->hw = devm_kzalloc(dev, sizeof(struct hw_info), GFP_KERNEL); nic->hw = devm_kzalloc(dev, sizeof(struct hw_info), GFP_KERNEL);
if (!nic->hw) { if (!nic->hw)
devm_kfree(dev, nic);
return -ENOMEM; return -ENOMEM;
}
pci_set_drvdata(pdev, nic); pci_set_drvdata(pdev, nic);
...@@ -1322,11 +1285,33 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) ...@@ -1322,11 +1285,33 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
nic->node = nic_get_node_id(pdev); nic->node = nic_get_node_id(pdev);
/* Initialize hardware */ /* Get HW capability info */
err = nic_init_hw(nic); nic_get_hw_info(nic);
if (err)
/* Allocate memory for LMAC tracking elements */
err = -ENOMEM;
max_lmac = nic->hw->bgx_cnt * MAX_LMAC_PER_BGX;
nic->vf_lmac_map = devm_kmalloc_array(dev, max_lmac, sizeof(u8),
GFP_KERNEL);
if (!nic->vf_lmac_map)
goto err_release_regions; goto err_release_regions;
nic->link = devm_kmalloc_array(dev, max_lmac, sizeof(u8), GFP_KERNEL);
if (!nic->link)
goto err_release_regions;
nic->duplex = devm_kmalloc_array(dev, max_lmac, sizeof(u8), GFP_KERNEL);
if (!nic->duplex)
goto err_release_regions;
nic->speed = devm_kmalloc_array(dev, max_lmac, sizeof(u32), GFP_KERNEL);
if (!nic->speed)
goto err_release_regions;
/* Initialize hardware */
nic_init_hw(nic);
nic_set_lmac_vf_mapping(nic); nic_set_lmac_vf_mapping(nic);
/* Register interrupts */ /* Register interrupts */
...@@ -1360,9 +1345,6 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) ...@@ -1360,9 +1345,6 @@ static int nic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err_release_regions: err_release_regions:
pci_release_regions(pdev); pci_release_regions(pdev);
err_disable_device: err_disable_device:
nic_free_lmacmem(nic);
devm_kfree(dev, nic->hw);
devm_kfree(dev, nic);
pci_disable_device(pdev); pci_disable_device(pdev);
pci_set_drvdata(pdev, NULL); pci_set_drvdata(pdev, NULL);
return err; return err;
...@@ -1384,10 +1366,6 @@ static void nic_remove(struct pci_dev *pdev) ...@@ -1384,10 +1366,6 @@ static void nic_remove(struct pci_dev *pdev)
nic_unregister_interrupts(nic); nic_unregister_interrupts(nic);
pci_release_regions(pdev); pci_release_regions(pdev);
nic_free_lmacmem(nic);
devm_kfree(&pdev->dev, nic->hw);
devm_kfree(&pdev->dev, nic);
pci_disable_device(pdev); pci_disable_device(pdev);
pci_set_drvdata(pdev, NULL); pci_set_drvdata(pdev, NULL);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment