rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is
dereferenced before that in rvt_free_all_qps().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut
down")
Signed-off-by: Natalia Petrova <[email protected]>
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c
index 3acab569fbb9..06e755975f61 100644
--- a/drivers/infiniband/sw/rdmavt/qp.c
+++ b/drivers/infiniband/sw/rdmavt/qp.c
@@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi)
*/
void rvt_qp_exit(struct rvt_dev_info *rdi)
{
- u32 qps_inuse = rvt_free_all_qps(rdi);
+ u32 qps_inuse = 0;
+
+ if (!rdi->qp_dev)
+ return;
+
+ qps_inuse = rvt_free_all_qps(rdi);
if (qps_inuse)
rvt_pr_err(rdi, "QP memory leak! %u still in use\n",
qps_inuse);
- if (!rdi->qp_dev)
- return;
kfree(rdi->qp_dev->qp_table);
free_qpn_table(&rdi->qp_dev->qpn_table);
--
2.34.1
On Mon, Oct 17, 2022 at 05:26:52PM +0300, Natalia Petrova wrote:
> rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is
> dereferenced before that in rvt_free_all_qps().
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut
> down")
Please never break fixes line.
> Signed-off-by: Natalia Petrova <[email protected]>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
> ---
> drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c
> index 3acab569fbb9..06e755975f61 100644
> --- a/drivers/infiniband/sw/rdmavt/qp.c
> +++ b/drivers/infiniband/sw/rdmavt/qp.c
> @@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi)
> */
> void rvt_qp_exit(struct rvt_dev_info *rdi)
> {
> - u32 qps_inuse = rvt_free_all_qps(rdi);
> + u32 qps_inuse = 0;
> +
> + if (!rdi->qp_dev)
> + return;
> +
> + qps_inuse = rvt_free_all_qps(rdi);
These lines are not needed.
>
> if (qps_inuse)
> rvt_pr_err(rdi, "QP memory leak! %u still in use\n",
> qps_inuse);
> - if (!rdi->qp_dev)
> - return;
It is enough to delete these two lines. At this stage, rdi->qp_dev always
exists as it was created in rvt_register_device().
Thanks
On 10/18/22 4:41 AM, Leon Romanovsky wrote:
> On Mon, Oct 17, 2022 at 05:26:52PM +0300, Natalia Petrova wrote:
>> rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is
>> dereferenced before that in rvt_free_all_qps().
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut
>> down")
>
> Please never break fixes line.
>
>> Signed-off-by: Natalia Petrova <[email protected]>
>> Signed-off-by: Alexey Khoroshilov <[email protected]>
>> ---
>> drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c
>> index 3acab569fbb9..06e755975f61 100644
>> --- a/drivers/infiniband/sw/rdmavt/qp.c
>> +++ b/drivers/infiniband/sw/rdmavt/qp.c
>> @@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi)
>> */
>> void rvt_qp_exit(struct rvt_dev_info *rdi)
>> {
>> - u32 qps_inuse = rvt_free_all_qps(rdi);
>> + u32 qps_inuse = 0;
>> +
>> + if (!rdi->qp_dev)
>> + return;
>> +
>> + qps_inuse = rvt_free_all_qps(rdi);
>
> These lines are not needed.
>
>>
>> if (qps_inuse)
>> rvt_pr_err(rdi, "QP memory leak! %u still in use\n",
>> qps_inuse);
>> - if (!rdi->qp_dev)
>> - return;
>
> It is enough to delete these two lines. At this stage, rdi->qp_dev always
> exists as it was created in rvt_register_device().
>
Agree with Leon here. qp_dev is created in rvt_register_device which will fail
if the qp dev allocation fails in rvt_driver_qp_init().
-Denny
There is no need to check 'rdi->qp_dev' for NULL. The field 'qp_dev'
is created in rvt_register_device() which will fail if the 'qp_dev'
allocation fails in rvt_driver_qp_init(). Overwise this pointer
doesn't changed and passed to rvt_qp_exit() by the next step.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 0acb0cc7ecc1 ("IB/rdmavt: Initialize and teardown of qpn table")
Signed-off-by: Natalia Petrova <[email protected]>
---
v2: The remark about non-null value of 'rdi->qp_dev' by Leon Romanovsky <[email protected]>
and Dennis Dalessandro <[email protected]> was taken into account.
drivers/infiniband/sw/rdmavt/qp.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c
index 3acab569fbb9..2bdc4486c3da 100644
--- a/drivers/infiniband/sw/rdmavt/qp.c
+++ b/drivers/infiniband/sw/rdmavt/qp.c
@@ -464,8 +464,6 @@ void rvt_qp_exit(struct rvt_dev_info *rdi)
if (qps_inuse)
rvt_pr_err(rdi, "QP memory leak! %u still in use\n",
qps_inuse);
- if (!rdi->qp_dev)
- return;
kfree(rdi->qp_dev->qp_table);
free_qpn_table(&rdi->qp_dev->qpn_table);
--
2.34.1
On Fri, 03 Mar 2023 15:44:08 +0300, Natalia Petrova wrote:
> There is no need to check 'rdi->qp_dev' for NULL. The field 'qp_dev'
> is created in rvt_register_device() which will fail if the 'qp_dev'
> allocation fails in rvt_driver_qp_init(). Overwise this pointer
> doesn't changed and passed to rvt_qp_exit() by the next step.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> [...]
Applied, thanks!
[1/1] rdmavt: delete unnecessary NULL check
https://git.kernel.org/rdma/rdma/c/9b3366ec12f0d7
Best regards,
--
Leon Romanovsky <[email protected]>