Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp705159ybz; Wed, 15 Apr 2020 17:07:30 -0700 (PDT) X-Google-Smtp-Source: APiQypKWPoyQQ2nB7q9cf7xa7nP6+YGRKhiAjhzwh7VrsMXsTP1F1FAxIB4LHd9dBkojRJFBtrhq X-Received: by 2002:a05:6402:1619:: with SMTP id f25mr28357964edv.201.1586995650347; Wed, 15 Apr 2020 17:07:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586995650; cv=none; d=google.com; s=arc-20160816; b=yidq5h3sgAu6Ragp0OU0wvrT8LHob9CaZ13dXoO9PA6rn8MqvoWDAPQP5ImOv4Uhv+ gB2dfn278xnijDwQi0iN+9wEq3ThM44wJ02vXQ7J9XjQP/TeehnuMMQAfof057tpc34A C8qEGOJXga2R3hL/E6a1ZTVPQwwAVvkxhGV5vbnBhJOpvPHsKTeRZyUn9vpnt0CvJsMv Wbbn/5f4eGJNyj+NcWH5u/D93KL6EYVVX6eR5+HchDyu2d4ktlddAH36OuWPpJH6VxU3 IlOSQiPkRjCSvuxuzB3YtCVinjD04g4xkg4OmPhKr8pcvdT+k2cqvrymBe21Dzyy8MAV ACnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=8l3fJ3svvSnnpPWSwQODVx9E9WXp25t5EtCooxlqAaI=; b=HSljnRtUWEZPQ/wY0cHBPw7/Vl0FzL0ENcZLuYvA/+n8CIeG4LHxovEm84YUBudjw0 xu0dutsaeRaKPi4X9KN2lzqZwwPcsivivTYy8E+W8GeCdNLusYvlA/aAJK47g7NQcfNk /WnFNWqjX6TGx3UXawQSSMmCO3Uug+y5ywmchHVxFEuvbNCd+n315sF5B5GpoPPZHpNZ yxOWYZOaQzpNgKlK2Vx7di83PlrjKbesxXCk/b2V0FKYH47uSp/kN5Ypm81k1tqAVi38 L8OsLoyKXrgnYgfxhO3eCIWHu673LlfGcLPzT6AwbL9+crFZFxN/EWFit8l7bqE1qU5w 3uiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=hyvfWRgZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k7si10939471edr.131.2020.04.15.17.07.07; Wed, 15 Apr 2020 17:07:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=hyvfWRgZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2636455AbgDOOJS (ORCPT + 99 others); Wed, 15 Apr 2020 10:09:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35670 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S2634048AbgDOOJN (ORCPT ); Wed, 15 Apr 2020 10:09:13 -0400 Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13D1AC061A0C for ; Wed, 15 Apr 2020 07:09:13 -0700 (PDT) Received: by mail-qk1-x742.google.com with SMTP id l78so1577951qke.7 for ; Wed, 15 Apr 2020 07:09:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=8l3fJ3svvSnnpPWSwQODVx9E9WXp25t5EtCooxlqAaI=; b=hyvfWRgZ8ds04OSvqKNyo/oyMGZudplvEgKzicRUdSRA7vp3TtY92WjQnivcZ2zlVx YGsqo2pSYCsL5gyfWH8KskcNoRlysYM+kZ0YMhf7DLoAEcWPb/meAwW+z9VwJ2o/zAKQ Mf+CeCVpXGS0CxgIfgYWqEVHzRfJuIxFifI0IN17pIpclN6zHTtbdISuE1qxEgPYEinv zriEbOBxBnvwhV/nxT6zLUvApM7+qCMNvIP3vvk6tOHIAUhKGQ7aOSziauK59XBka8Yb 9q5QkXsZZ8JueNWbHr7Un1tx9r6Rd7XMa3nsavZAziqQL6icouVnhboeNjAADXfnuT7U u74g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=8l3fJ3svvSnnpPWSwQODVx9E9WXp25t5EtCooxlqAaI=; b=kXNMEQmUG1w5frLAGiF9mlBQpJ3VwWI8Oec24qNgG/OS+neSFTj7d6IuG8Tp+AmG4Q 4KeAD+qV50ea/qrQMz3OFy1daT2W2m/8iNJMPKbkJbS9DAaouAqzi3HvRmUop56pysVa NnPV9TXlOopyWTX9ykVXJY4YNmWbYx8ACCyisvZ9EiahnFlTKS/y7hOt6MTfX0UjfBnp LFqULLJVurUcqSRqndi9EO7mKGms5Ow8vj69AgpRurLEqSzxuYcYwtgmKG+rZdGvOvTY cVn7x5c+etNaX8nbrzfMDBZSGhHMQsWWwfnrtkIcZ0BXkE0eTXC71m9LjyOJrxkK+0a8 uPRQ== X-Gm-Message-State: AGi0PuaAsgZlVrBqeajzn/JvkUWm1cUxWX8oTxwYhjdBb/dMHnhPqs+L x7BPMS9ykEGThSGZ3ef/7eV5Dg== X-Received: by 2002:a05:620a:5fc:: with SMTP id z28mr27186371qkg.346.1586959752226; Wed, 15 Apr 2020 07:09:12 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-142-68-57-212.dhcp-dynamic.fibreop.ns.bellaliant.net. [142.68.57.212]) by smtp.gmail.com with ESMTPSA id o94sm13137882qtd.34.2020.04.15.07.09.11 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 15 Apr 2020 07:09:11 -0700 (PDT) Received: from jgg by mlx.ziepe.ca with local (Exim 4.90_1) (envelope-from ) id 1jOij0-0005Px-OF; Wed, 15 Apr 2020 11:09:10 -0300 Date: Wed, 15 Apr 2020 11:09:10 -0300 From: Jason Gunthorpe To: Xiyu Yang Cc: Bernard Metzler , Doug Ledford , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xin Tan Subject: Re: [PATCH] RDMA/siw: Fix potential siw_mem refcnt leak in nr_add_node Message-ID: <20200415140910.GN5100@ziepe.ca> References: <1586939949-69856-1-git-send-email-xiyuyang19@fudan.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1586939949-69856-1-git-send-email-xiyuyang19@fudan.edu.cn> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 15, 2020 at 04:39:08PM +0800, Xiyu Yang wrote: > siw_fastreg_mr() invokes siw_mem_id2obj(), which returns a local > reference of the siw_mem object to "mem" with increased refcnt. > When siw_fastreg_mr() returns, "mem" becomes invalid, so the refcount > should be decreased to keep refcount balanced. > > The issue happens in one error path of siw_fastreg_mr(). When "base_mr" > equals to NULL but "mem" is not NULL, the function forgets to decrease > the refcnt increased by siw_mem_id2obj() and causes a refcnt leak. > > Fix this issue by calling siw_mem_put() on this error path when mem is > not NULL. > > Signed-off-by: Xiyu Yang > Signed-off-by: Xin Tan > drivers/infiniband/sw/siw/siw_qp_tx.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c > index ae92c8080967..86044a44b83b 100644 > +++ b/drivers/infiniband/sw/siw/siw_qp_tx.c > @@ -926,6 +926,8 @@ static int siw_fastreg_mr(struct ib_pd *pd, struct siw_sqe *sqe) > siw_dbg_pd(pd, "STag 0x%08x\n", sqe->rkey); > > if (unlikely(!mem || !base_mr)) { > + if (mem) > + siw_mem_put(mem); > pr_warn("siw: fastreg: STag 0x%08x unknown\n", sqe->rkey); > return -EINVAL; > } I think I prefer this version, which is what I'll use if nobody has concerns: diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c index ae92c8080967c5..0580bbf535ceb7 100644 --- a/drivers/infiniband/sw/siw/siw_qp_tx.c +++ b/drivers/infiniband/sw/siw/siw_qp_tx.c @@ -920,20 +920,28 @@ static int siw_fastreg_mr(struct ib_pd *pd, struct siw_sqe *sqe) { struct ib_mr *base_mr = (struct ib_mr *)(uintptr_t)sqe->base_mr; struct siw_device *sdev = to_siw_dev(pd->device); - struct siw_mem *mem = siw_mem_id2obj(sdev, sqe->rkey >> 8); + struct siw_mem *mem; int rv = 0; siw_dbg_pd(pd, "STag 0x%08x\n", sqe->rkey); - if (unlikely(!mem || !base_mr)) { + if (unlikely(!base_mr)) { pr_warn("siw: fastreg: STag 0x%08x unknown\n", sqe->rkey); return -EINVAL; } + if (unlikely(base_mr->rkey >> 8 != sqe->rkey >> 8)) { pr_warn("siw: fastreg: STag 0x%08x: bad MR\n", sqe->rkey); + return -EINVAL; + } + + mem = siw_mem_id2obj(sdev, sqe->rkey >> 8); + if (unlikely(!mem)) { + pr_warn("siw: fastreg: STag 0x%08x unknown\n", sqe->rkey); rv = -EINVAL; goto out; } + if (unlikely(mem->pd != pd)) { pr_warn("siw: fastreg: PD mismatch\n"); rv = -EINVAL;