| Message ID | 66dd3e80886db4a9fe1795ecd906330255923625.1620343860.git.metze@samba.org (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | rdma/siw: fix a lot of deadlocks and use after free bugs | expand |
-----"Stefan Metzmacher" <metze@samba.org> wrote: ----- >To: "Bernard Metzler" <bmt@zurich.ibm.com> >From: "Stefan Metzmacher" <metze@samba.org> >Date: 05/07/2021 01:37AM >Cc: linux-rdma@vger.kernel.org, "Stefan Metzmacher" <metze@samba.org> >Subject: [EXTERNAL] [PATCH 03/31] rdma/siw: remove superfluous >siw_cep_put() from siw_connect() error path > >The following change demonstrate the bug: > > --- a/drivers/infiniband/sw/siw/siw_cm.c > +++ b/drivers/infiniband/sw/siw/siw_cm.c > @@ -1507,6 +1507,9 @@ int siw_connect(struct iw_cm_id *id, struct >iw_cm_conn_param *params) > if (rv >= 0) { > rv = siw_cm_queue_work(cep, >SIW_CM_WORK_MPATIMEOUT); > if (!rv) { > + rv = -ECONNRESET; > + msleep_interruptible(100); > + goto error; > siw_dbg_cep(cep, "[QP %u]: exit\n", >qp_id(qp)); > siw_cep_set_free(cep); > return 0; > >That change triggers the WARN_ON() in siw_cep_put(). > >As there's no siw_cep_get() arround id->add_ref() >I removed the siw_cep_put() following id->rem_ref(). > >Fixes: 6c52fdc244b5 ("rdma/siw: connection management") >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Cc: Bernard Metzler <bmt@zurich.ibm.com> >Cc: linux-rdma@vger.kernel.org >--- > drivers/infiniband/sw/siw/siw_cm.c | 1 - > 1 file changed, 1 deletion(-) > >diff --git a/drivers/infiniband/sw/siw/siw_cm.c >b/drivers/infiniband/sw/siw/siw_cm.c >index 7a5ed86ffc9f..da84686a21fd 100644 >--- a/drivers/infiniband/sw/siw/siw_cm.c >+++ b/drivers/infiniband/sw/siw/siw_cm.c >@@ -1494,7 +1494,6 @@ int siw_connect(struct iw_cm_id *id, struct >iw_cm_conn_param *params) > > cep->cm_id = NULL; > id->rem_ref(id); >- siw_cep_put(cep); > > qp->cep = NULL; > siw_cep_put(cep); >-- >2.25.1 > > Thanks, good catch! Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com>
diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c index 7a5ed86ffc9f..da84686a21fd 100644 --- a/drivers/infiniband/sw/siw/siw_cm.c +++ b/drivers/infiniband/sw/siw/siw_cm.c @@ -1494,7 +1494,6 @@ int siw_connect(struct iw_cm_id *id, struct iw_cm_conn_param *params) cep->cm_id = NULL; id->rem_ref(id); - siw_cep_put(cep); qp->cep = NULL; siw_cep_put(cep);
The following change demonstrate the bug: --- a/drivers/infiniband/sw/siw/siw_cm.c +++ b/drivers/infiniband/sw/siw/siw_cm.c @@ -1507,6 +1507,9 @@ int siw_connect(struct iw_cm_id *id, struct iw_cm_conn_param *params) if (rv >= 0) { rv = siw_cm_queue_work(cep, SIW_CM_WORK_MPATIMEOUT); if (!rv) { + rv = -ECONNRESET; + msleep_interruptible(100); + goto error; siw_dbg_cep(cep, "[QP %u]: exit\n", qp_id(qp)); siw_cep_set_free(cep); return 0; That change triggers the WARN_ON() in siw_cep_put(). As there's no siw_cep_get() arround id->add_ref() I removed the siw_cep_put() following id->rem_ref(). Fixes: 6c52fdc244b5 ("rdma/siw: connection management") Signed-off-by: Stefan Metzmacher <metze@samba.org> Cc: Bernard Metzler <bmt@zurich.ibm.com> Cc: linux-rdma@vger.kernel.org --- drivers/infiniband/sw/siw/siw_cm.c | 1 - 1 file changed, 1 deletion(-)