diff mbox series

[03/31] rdma/siw: remove superfluous siw_cep_put() from siw_connect() error path

Message ID 66dd3e80886db4a9fe1795ecd906330255923625.1620343860.git.metze@samba.org (mailing list archive)
State Changes Requested
Headers show
Series rdma/siw: fix a lot of deadlocks and use after free bugs | expand

Commit Message

Stefan Metzmacher May 6, 2021, 11:36 p.m. UTC
The following change demonstrate the bug:

    --- a/drivers/infiniband/sw/siw/siw_cm.c
    +++ b/drivers/infiniband/sw/siw/siw_cm.c
    @@ -1507,6 +1507,9 @@ int siw_connect(struct iw_cm_id *id, struct iw_cm_conn_param *params)
            if (rv >= 0) {
                    rv = siw_cm_queue_work(cep, SIW_CM_WORK_MPATIMEOUT);
                    if (!rv) {
    +                       rv = -ECONNRESET;
    +                       msleep_interruptible(100);
    +                       goto error;
                            siw_dbg_cep(cep, "[QP %u]: exit\n", qp_id(qp));
                            siw_cep_set_free(cep);
                            return 0;

That change triggers the WARN_ON() in siw_cep_put().

As there's no siw_cep_get() arround id->add_ref()
I removed the siw_cep_put() following id->rem_ref().

Fixes: 6c52fdc244b5 ("rdma/siw: connection management")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Cc: Bernard Metzler <bmt@zurich.ibm.com>
Cc: linux-rdma@vger.kernel.org
---
 drivers/infiniband/sw/siw/siw_cm.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Bernard Metzler May 7, 2021, 1:52 p.m. UTC | #1
-----"Stefan Metzmacher" <metze@samba.org> wrote: -----

>To: "Bernard Metzler" <bmt@zurich.ibm.com>
>From: "Stefan Metzmacher" <metze@samba.org>
>Date: 05/07/2021 01:37AM
>Cc: linux-rdma@vger.kernel.org, "Stefan Metzmacher" <metze@samba.org>
>Subject: [EXTERNAL] [PATCH 03/31] rdma/siw: remove superfluous
>siw_cep_put() from siw_connect() error path
>
>The following change demonstrate the bug:
>
>    --- a/drivers/infiniband/sw/siw/siw_cm.c
>    +++ b/drivers/infiniband/sw/siw/siw_cm.c
>    @@ -1507,6 +1507,9 @@ int siw_connect(struct iw_cm_id *id, struct
>iw_cm_conn_param *params)
>            if (rv >= 0) {
>                    rv = siw_cm_queue_work(cep,
>SIW_CM_WORK_MPATIMEOUT);
>                    if (!rv) {
>    +                       rv = -ECONNRESET;
>    +                       msleep_interruptible(100);
>    +                       goto error;
>                            siw_dbg_cep(cep, "[QP %u]: exit\n",
>qp_id(qp));
>                            siw_cep_set_free(cep);
>                            return 0;
>
>That change triggers the WARN_ON() in siw_cep_put().
>
>As there's no siw_cep_get() arround id->add_ref()
>I removed the siw_cep_put() following id->rem_ref().
>
>Fixes: 6c52fdc244b5 ("rdma/siw: connection management")
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Cc: Bernard Metzler <bmt@zurich.ibm.com>
>Cc: linux-rdma@vger.kernel.org
>---
> drivers/infiniband/sw/siw/siw_cm.c | 1 -
> 1 file changed, 1 deletion(-)
>
>diff --git a/drivers/infiniband/sw/siw/siw_cm.c
>b/drivers/infiniband/sw/siw/siw_cm.c
>index 7a5ed86ffc9f..da84686a21fd 100644
>--- a/drivers/infiniband/sw/siw/siw_cm.c
>+++ b/drivers/infiniband/sw/siw/siw_cm.c
>@@ -1494,7 +1494,6 @@ int siw_connect(struct iw_cm_id *id, struct
>iw_cm_conn_param *params)
> 
> 		cep->cm_id = NULL;
> 		id->rem_ref(id);
>-		siw_cep_put(cep);
> 
> 		qp->cep = NULL;
> 		siw_cep_put(cep);
>-- 
>2.25.1
>
>

Thanks, good catch!

Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com>
diff mbox series

Patch

diff --git a/drivers/infiniband/sw/siw/siw_cm.c b/drivers/infiniband/sw/siw/siw_cm.c
index 7a5ed86ffc9f..da84686a21fd 100644
--- a/drivers/infiniband/sw/siw/siw_cm.c
+++ b/drivers/infiniband/sw/siw/siw_cm.c
@@ -1494,7 +1494,6 @@  int siw_connect(struct iw_cm_id *id, struct iw_cm_conn_param *params)
 
 		cep->cm_id = NULL;
 		id->rem_ref(id);
-		siw_cep_put(cep);
 
 		qp->cep = NULL;
 		siw_cep_put(cep);