Syzbot report the following issue:
infiniband syj1: RDMA CMA: cma_listen_on_dev, error -98
unregister_netdevice: waiting for vlan0 to become free. Usage count = 2
The causes are as follows:
rdma_listen()
rdma_bind_addr()
cma_acquire_dev_by_src_ip()
cma_attach_to_dev()
_cma_attach_to_dev()
cma_dev_get()
cma_check_port()
<--The return value is -98, goto err
err:
<-- The error handling here is missing the operation of cma_release_dev.
To fix, add cma_release_dev to error handing.
Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager")
Reported-by: [email protected]
Signed-off-by: Wang Yufen <[email protected]>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 26d1772..3a50a8e 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -4049,6 +4049,9 @@ int rdma_listen(struct rdma_cm_id *id, int backlog)
return 0;
err:
id_priv->backlog = 0;
+ if (id_priv->cma_dev)
+ cma_release_dev(id_priv);
+
/*
* All the failure paths that lead here will not allow the req_handler's
* to have run.
--
1.8.3.1
On Tue, Nov 22, 2022 at 02:47:53PM +0800, Wang Yufen wrote:
> Syzbot report the following issue:
> infiniband syj1: RDMA CMA: cma_listen_on_dev, error -98
> unregister_netdevice: waiting for vlan0 to become free. Usage count = 2
>
> The causes are as follows:
>
> rdma_listen()
> rdma_bind_addr()
> cma_acquire_dev_by_src_ip()
> cma_attach_to_dev()
> _cma_attach_to_dev()
> cma_dev_get()
>
> cma_check_port()
> <--The return value is -98, goto err
>
> err:
> <-- The error handling here is missing the operation of cma_release_dev.
>
> To fix, add cma_release_dev to error handing.
>
> Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager")
> Reported-by: [email protected]
> Signed-off-by: Wang Yufen <[email protected]>
> ---
> drivers/infiniband/core/cma.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
> index 26d1772..3a50a8e 100644
> --- a/drivers/infiniband/core/cma.c
> +++ b/drivers/infiniband/core/cma.c
> @@ -4049,6 +4049,9 @@ int rdma_listen(struct rdma_cm_id *id, int backlog)
> return 0;
> err:
> id_priv->backlog = 0;
> + if (id_priv->cma_dev)
> + cma_release_dev(id_priv);
> +
I'm not sure about this, the dev is released during _destroy_id()
Is something leaking an entire CM id or is there something wrong with
_destroy_id() ?
Jason