Commit 05af4ffc authored by Yishai Hadas's avatar Yishai Hadas Committed by Yi Yang
Browse files

vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() 

mainline inclusion
from mainline-v6.13-rc1
commit 22e87bf3f77c18f5982c19ffe2732ef0c7a25f16
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEGF7
CVE: CVE-2024-56742

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22e87bf3f77c18f5982c19ffe2732ef0c7a25f16



--------------------------------

Fix an unwind issue in mlx5vf_add_migration_pages().

If a set of pages is allocated but fails to be added to the SG table,
they need to be freed to prevent a memory leak.

Any pages successfully added to the SG table will be freed as part of
mlx5vf_free_data_buffer().

Fixes: 6fadb021 ("vfio/mlx5: Implement vfio_pci driver for mlx5 devices")
Signed-off-by: default avatarYishai Hadas <yishaih@nvidia.com>
Reviewed-by: default avatarJason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/20241114095318.16556-2-yishaih@nvidia.com


Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Conflicts:
	drivers/vfio/pci/mlx5/main.c
	drivers/vfio/pci/mlx5/cmd.c
[conflicts due to not mergered 821b8f6bf8489 ("vfio/mlx5: Enforce PRE_COPY support")]
Signed-off-by: default avatarYi Yang <yiyang13@huawei.com>
parent 1cbb44cd

drivers/vfio/pci/mlx5/main.c

+5 −1
Original line number Diff line number Diff line
@@ -71,6 +71,7 @@ int mlx5vf_add_migration_pages(struct mlx5_vhca_data_buffer *buf, 
	unsigned long filled;

	unsigned int to_fill;

	int ret;

	int i;



	to_fill = min_t(unsigned int, npages, PAGE_SIZE / sizeof(*page_list));

	page_list = kvzalloc(to_fill * sizeof(*page_list), GFP_KERNEL_ACCOUNT);
@@ -91,7 +92,7 @@ int mlx5vf_add_migration_pages(struct mlx5_vhca_data_buffer *buf, 
			GFP_KERNEL_ACCOUNT);



		if (ret)

			goto err;

			goto err_append;

		buf->allocated_length += filled * PAGE_SIZE;

		/* clean input for another bulk allocation */

		memset(page_list, 0, filled * sizeof(*page_list));
@@ -102,6 +103,9 @@ int mlx5vf_add_migration_pages(struct mlx5_vhca_data_buffer *buf, 
	kvfree(page_list);

	return 0;



err_append:

	for (i = filled - 1; i >= 0; i--)

		__free_page(page_list[i]);

err:

	kvfree(page_list);

	return ret;