[2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()

Message ID	20190105130648.GC3288@kadam (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-nfs-owner@kernel.org> Date: Sat, 5 Jan 2019 16:06:48 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: "J. Bruce Fields" <bfields@fieldses.org>, Chuck Lever <chuck.lever@oracle.com> Cc: Jeff Layton <jlayton@kernel.org>, Trond Myklebust <trond.myklebust@hammerspace.com>, Anna Schumaker <anna.schumaker@netapp.com>, linux-nfs@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create() Message-ID: <20190105130648.GC3288@kadam> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk
Series	[1/2] xprtrdma: Fix error code in rpcrdma_buffer_create() \| expand [1/2] xprtrdma: Fix error code in rpcrdma_buffer_create() [2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()

Message ID

20190105130648.GC3288@kadam (mailing list archive)

State

New, archived

Headers

Date: Sat, 5 Jan 2019 16:06:48 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: "J. Bruce Fields" <bfields@fieldses.org>,
        Chuck Lever <chuck.lever@oracle.com>
Cc: Jeff Layton <jlayton@kernel.org>,
        Trond Myklebust <trond.myklebust@hammerspace.com>,
        Anna Schumaker <anna.schumaker@netapp.com>,
        linux-nfs@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
Message-ID: <20190105130648.GC3288@kadam>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk

Series

[1/2] xprtrdma: Fix error code in rpcrdma_buffer_create() | expand

Commit Message

Dan Carpenter Jan. 5, 2019, 1:06 p.m. UTC

The clean up is handled by the caller, rpcrdma_buffer_create(), so this
call to rpcrdma_sendctxs_destroy() leads to a double free.

Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 net/sunrpc/xprtrdma/verbs.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

Comments

Chuck Lever III Jan. 5, 2019, 4:24 p.m. UTC | #1

> On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> call to rpcrdma_sendctxs_destroy() leads to a double free.

True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
should be made more careful about being called twice. Hm.

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>


> Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> net/sunrpc/xprtrdma/verbs.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> index 3dde05892c8e..4994e75945b8 100644
> --- a/net/sunrpc/xprtrdma/verbs.c
> +++ b/net/sunrpc/xprtrdma/verbs.c
> @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> 	for (i = 0; i <= buf->rb_sc_last; i++) {
> 		sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> 		if (!sc)
> -			goto out_destroy;
> +			return -ENOMEM;
> 
> 		sc->sc_xprt = r_xprt;
> 		buf->rb_sc_ctxs[i] = sc;
> 	}
> 
> 	return 0;
> -
> -out_destroy:
> -	rpcrdma_sendctxs_destroy(buf);
> -	return -ENOMEM;
> }
> 
> /* The sendctx queue is not guaranteed to have a size that is a
> -- 
> 2.17.1
> 

--
Chuck Lever

J. Bruce Fields Jan. 7, 2019, 5:22 p.m. UTC | #2

On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
> 
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > 
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
> 
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
> 
> Reviewed-by: Chuck Lever <chuck.lever@oracle.com>

I'm assuming Trond or Anna will pick this up.--b.

> 
> 
> > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > net/sunrpc/xprtrdma/verbs.c | 6 +-----
> > 1 file changed, 1 insertion(+), 5 deletions(-)
> > 
> > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> > index 3dde05892c8e..4994e75945b8 100644
> > --- a/net/sunrpc/xprtrdma/verbs.c
> > +++ b/net/sunrpc/xprtrdma/verbs.c
> > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> > 	for (i = 0; i <= buf->rb_sc_last; i++) {
> > 		sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> > 		if (!sc)
> > -			goto out_destroy;
> > +			return -ENOMEM;
> > 
> > 		sc->sc_xprt = r_xprt;
> > 		buf->rb_sc_ctxs[i] = sc;
> > 	}
> > 
> > 	return 0;
> > -
> > -out_destroy:
> > -	rpcrdma_sendctxs_destroy(buf);
> > -	return -ENOMEM;
> > }
> > 
> > /* The sendctx queue is not guaranteed to have a size that is a
> > -- 
> > 2.17.1
> > 
> 
> --
> Chuck Lever
> 
>

Dan Carpenter Jan. 7, 2019, 6:41 p.m. UTC | #3

On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
> 
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > 
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
> 
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
> 

I actually wrote the patch like that originally, but then this way made
for an easier patch description so I re-wrote it.  Let me send the other
patch and you can apply that or both if you want.

regards,
dan carpenter

Schumaker, Anna Jan. 7, 2019, 10:21 p.m. UTC | #4

On Mon, 2019-01-07 at 12:22 -0500, Bruce Fields wrote:
> On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
> > > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com>
> > > wrote:
> > > 
> > > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > > call to rpcrdma_sendctxs_destroy() leads to a double free.
> > 
> > True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> > should be made more careful about being called twice. Hm.
> > 
> > Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> 
> I'm assuming Trond or Anna will pick this up.--b.

Yeah, I'll take this one and 1/2 for a 5.0-rc.  I might save the additional
cleanup patch Dan sent for 5.1

Anna

> 
> > 
> > > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send
> > > arguments")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > ---
> > > net/sunrpc/xprtrdma/verbs.c | 6 +-----
> > > 1 file changed, 1 insertion(+), 5 deletions(-)
> > > 
> > > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> > > index 3dde05892c8e..4994e75945b8 100644
> > > --- a/net/sunrpc/xprtrdma/verbs.c
> > > +++ b/net/sunrpc/xprtrdma/verbs.c
> > > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct
> > > rpcrdma_xprt *r_xprt)
> > > 	for (i = 0; i <= buf->rb_sc_last; i++) {
> > > 		sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> > > 		if (!sc)
> > > -			goto out_destroy;
> > > +			return -ENOMEM;
> > > 
> > > 		sc->sc_xprt = r_xprt;
> > > 		buf->rb_sc_ctxs[i] = sc;
> > > 	}
> > > 
> > > 	return 0;
> > > -
> > > -out_destroy:
> > > -	rpcrdma_sendctxs_destroy(buf);
> > > -	return -ENOMEM;
> > > }
> > > 
> > > /* The sendctx queue is not guaranteed to have a size that is a
> > > -- 
> > > 2.17.1
> > > 
> > 
> > --
> > Chuck Lever
> > 
> >

diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 3dde05892c8e..4994e75945b8 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -845,17 +845,13 @@  static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
 	for (i = 0; i <= buf->rb_sc_last; i++) {
 		sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
 		if (!sc)
-			goto out_destroy;
+			return -ENOMEM;
 
 		sc->sc_xprt = r_xprt;
 		buf->rb_sc_ctxs[i] = sc;
 	}
 
 	return 0;
-
-out_destroy:
-	rpcrdma_sendctxs_destroy(buf);
-	return -ENOMEM;
 }
 
 /* The sendctx queue is not guaranteed to have a size that is a

[2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()

Commit Message

Comments

Patch