Hi, Two potential risks were found while scanning the source code of i40e version 2.22.20 <https://sourceforge.net/projects/e1000/files/i40e%20stable/2.22.20/>. I've attached a possible fix for these risks. See the attachment.
*1. Memory leak*
In file src/i40e_virtchnl_pf.c , line 981 and line 991, the goto err_out
branch does NOT free `mr_list`. This would cause a memory leak.
> static int i40e_add_ingress_egress_mirror(struct i40e_vsi *src_vsi,
> struct i40e_vsi *mirror_vsi,
> u16 rule_type, u16 *rule_id)
> {
> u16 dst_seid, rules_used, rules_free, sw_seid;
> struct i40e_pf *pf = src_vsi->back;
> int ret, num = 0, cnt = 1;
> int *vsi_ingress_vlan;
> int *vsi_egress_vlan;
> __le16 *mr_list;
>
> mr_list = (__le16*)kcalloc(cnt, sizeof(__le16), GFP_KERNEL);
> if (!mr_list) {
> ret = -ENOMEM;
> goto err_out;
> }
>
> if (src_vsi->type == I40E_VSI_MAIN) {
> vsi_ingress_vlan = &pf->ingress_vlan;
> vsi_egress_vlan = &pf->egress_vlan;
> } else {
> vsi_ingress_vlan = &pf->vf[src_vsi->vf_id].ingress_vlan;
> vsi_egress_vlan = &pf->vf[src_vsi->vf_id].egress_vlan;
> }
>
> if (I40E_IS_MIRROR_VLAN_ID_VALID(*vsi_ingress_vlan)) {
> if (src_vsi->type == I40E_VSI_MAIN)
> dev_err(&pf->pdev->dev,
> "PF already has an ingress mirroring configured, only one rule per PF is
> supported!\n");
> else
> dev_err(&pf->pdev->dev,
> "VF=%d already has an ingress mirroring configured, only one rule per VF
> is supported!\n",
> src_vsi->vf_id);
> ret = -EPERM;
> goto err_out; //line 981
> } else if (I40E_IS_MIRROR_VLAN_ID_VALID(*vsi_egress_vlan)) {
> if (src_vsi->type == I40E_VSI_MAIN)
> dev_err(&pf->pdev->dev,
> "PF already has an egress mirroring configured, only one rule per PF is
> supported!\n");
> else
> dev_err(&pf->pdev->dev,
> "VF=%d already has an egress mirroring configured, only one rule per VF is
> supported!\n",
> src_vsi->vf_id);
> ret = -EPERM;
> goto err_out; //line 991
> }
>
> sw_seid = src_vsi->uplink_seid;
> dst_seid = mirror_vsi->seid;
> mr_list[num] = CPU_TO_LE16(src_vsi->seid);
> ret = i40e_aq_add_mirrorrule(&pf->hw, sw_seid,
> rule_type, dst_seid,
> cnt, mr_list, NULL,
> rule_id, &rules_used,
> &rules_free);
> kfree(mr_list);
> err_out:
> return ret;
> }
>
*2. dereferencing a freed pointer*
In file src/i40e_client.c, line 450 and line 454, `cdev` and `client` are
used after the release by calling `i40e_client_del_instance(pf)`.
This would cause a crash for dereferencing a freed pointer.
> void i40e_client_subtask(struct i40e_pf *pf)
> {
> struct i40e_client *client;
> struct i40e_client_instance *cdev;
> struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
> int ret = 0;
>
> if (!test_and_clear_bit(__I40E_CLIENT_SERVICE_REQUESTED, pf->state))
> return;
> cdev = pf->cinst;
>
> /* If we're down or resetting, just bail */
> if (test_bit(__I40E_DOWN, pf->state) ||
> test_bit(__I40E_CONFIG_BUSY, pf->state))
> return;
>
> if (!cdev || !cdev->client)
> return;
>
> client = cdev->client;
>
> /* Here we handle client opens. If the client is down, and
> * the netdev is registered, then open the client.
> */
> if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) {
> if (vsi->netdev_registered &&
> client->ops && client->ops->open) {
> set_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state);
> ret = client->ops->open(&cdev->lan_info, client);
> if (ret) {
> /* Remove failed client instance */
> clear_bit(__I40E_CLIENT_INSTANCE_OPENED,
> &cdev->state);
> i40e_client_del_instance(pf);
> }
> }
> }
>
> /* enable/disable PE TCP_ENA flag based on netdev down/up
> */
> if (test_bit(__I40E_VSI_DOWN, vsi->state))
> i40e_client_update_vsi_ctxt(&cdev->lan_info, client, //line 450
> 0, 0, 0,
> I40E_CLIENT_VSI_FLAG_TCP_ENABLE);
> else
> i40e_client_update_vsi_ctxt(&cdev->lan_info, client, //line 454
> 0, 0,
> I40E_CLIENT_VSI_FLAG_TCP_ENABLE,
> I40E_CLIENT_VSI_FLAG_TCP_ENABLE);
> }
>
i40e.patch
Description: Binary data
_______________________________________________ E1000-devel mailing list E1000-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel Ethernet, visit https://community.intel.com/t5/Ethernet-Products/bd-p/ethernet-products
