Hi, Two potential risks were found while scanning the source code of i40e version 2.22.20 <https://sourceforge.net/projects/e1000/files/i40e%20stable/2.22.20/>. I've attached a possible fix for these risks. See the attachment.
*1. Memory leak* In file src/i40e_virtchnl_pf.c , line 981 and line 991, the goto err_out branch does NOT free `mr_list`. This would cause a memory leak. > static int i40e_add_ingress_egress_mirror(struct i40e_vsi *src_vsi, > struct i40e_vsi *mirror_vsi, > u16 rule_type, u16 *rule_id) > { > u16 dst_seid, rules_used, rules_free, sw_seid; > struct i40e_pf *pf = src_vsi->back; > int ret, num = 0, cnt = 1; > int *vsi_ingress_vlan; > int *vsi_egress_vlan; > __le16 *mr_list; > > mr_list = (__le16*)kcalloc(cnt, sizeof(__le16), GFP_KERNEL); > if (!mr_list) { > ret = -ENOMEM; > goto err_out; > } > > if (src_vsi->type == I40E_VSI_MAIN) { > vsi_ingress_vlan = &pf->ingress_vlan; > vsi_egress_vlan = &pf->egress_vlan; > } else { > vsi_ingress_vlan = &pf->vf[src_vsi->vf_id].ingress_vlan; > vsi_egress_vlan = &pf->vf[src_vsi->vf_id].egress_vlan; > } > > if (I40E_IS_MIRROR_VLAN_ID_VALID(*vsi_ingress_vlan)) { > if (src_vsi->type == I40E_VSI_MAIN) > dev_err(&pf->pdev->dev, > "PF already has an ingress mirroring configured, only one rule per PF is > supported!\n"); > else > dev_err(&pf->pdev->dev, > "VF=%d already has an ingress mirroring configured, only one rule per VF > is supported!\n", > src_vsi->vf_id); > ret = -EPERM; > goto err_out; //line 981 > } else if (I40E_IS_MIRROR_VLAN_ID_VALID(*vsi_egress_vlan)) { > if (src_vsi->type == I40E_VSI_MAIN) > dev_err(&pf->pdev->dev, > "PF already has an egress mirroring configured, only one rule per PF is > supported!\n"); > else > dev_err(&pf->pdev->dev, > "VF=%d already has an egress mirroring configured, only one rule per VF is > supported!\n", > src_vsi->vf_id); > ret = -EPERM; > goto err_out; //line 991 > } > > sw_seid = src_vsi->uplink_seid; > dst_seid = mirror_vsi->seid; > mr_list[num] = CPU_TO_LE16(src_vsi->seid); > ret = i40e_aq_add_mirrorrule(&pf->hw, sw_seid, > rule_type, dst_seid, > cnt, mr_list, NULL, > rule_id, &rules_used, > &rules_free); > kfree(mr_list); > err_out: > return ret; > } > *2. dereferencing a freed pointer* In file src/i40e_client.c, line 450 and line 454, `cdev` and `client` are used after the release by calling `i40e_client_del_instance(pf)`. This would cause a crash for dereferencing a freed pointer. > void i40e_client_subtask(struct i40e_pf *pf) > { > struct i40e_client *client; > struct i40e_client_instance *cdev; > struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; > int ret = 0; > > if (!test_and_clear_bit(__I40E_CLIENT_SERVICE_REQUESTED, pf->state)) > return; > cdev = pf->cinst; > > /* If we're down or resetting, just bail */ > if (test_bit(__I40E_DOWN, pf->state) || > test_bit(__I40E_CONFIG_BUSY, pf->state)) > return; > > if (!cdev || !cdev->client) > return; > > client = cdev->client; > > /* Here we handle client opens. If the client is down, and > * the netdev is registered, then open the client. > */ > if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) { > if (vsi->netdev_registered && > client->ops && client->ops->open) { > set_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state); > ret = client->ops->open(&cdev->lan_info, client); > if (ret) { > /* Remove failed client instance */ > clear_bit(__I40E_CLIENT_INSTANCE_OPENED, > &cdev->state); > i40e_client_del_instance(pf); > } > } > } > > /* enable/disable PE TCP_ENA flag based on netdev down/up > */ > if (test_bit(__I40E_VSI_DOWN, vsi->state)) > i40e_client_update_vsi_ctxt(&cdev->lan_info, client, //line 450 > 0, 0, 0, > I40E_CLIENT_VSI_FLAG_TCP_ENABLE); > else > i40e_client_update_vsi_ctxt(&cdev->lan_info, client, //line 454 > 0, 0, > I40E_CLIENT_VSI_FLAG_TCP_ENABLE, > I40E_CLIENT_VSI_FLAG_TCP_ENABLE); > } >
i40e.patch
Description: Binary data
_______________________________________________ E1000-devel mailing list E1000-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel Ethernet, visit https://community.intel.com/t5/Ethernet-Products/bd-p/ethernet-products