Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3669501pxy;
        Mon, 26 Apr 2021 07:10:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzjhD8B/tpr0PylB/apS3cCrDnMzYi+wgumClbtIEElZh9hVLaBZDZMO/3z8vtYccNKZIPQ
X-Received: by 2002:a50:ee85:: with SMTP id f5mr3696692edr.8.1619446210970;
        Mon, 26 Apr 2021 07:10:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619446210; cv=none;
        d=google.com; s=arc-20160816;
        b=xCh3jW/LfW9Dk0163Ty93gmYb8vVMPrtMRcYduQlgmFPvQ6zfP0KG0CmqOqQTR4Bsz
         WI5pX/yFFsOm4Dqet3nsqgBUbBIBB2N13i5a1zruaCzZpooU+cj31K5gwpkYHgd0rOEs
         xMwnml5WpEhFZBEXiolxQqw2EtU66Onr9hiAja40z+9tiI6BtF1rDoOuavWh1ra/TjBV
         AwKNq+3qKbGM2Y0HjAhAujQYUSh8tq9I2sfc3zP6l6CMB/P8ZeqJIV6WMh3ZxfxHVVwY
         nmzukacgviA0gINv+Cy52X4AJctNdISsJq56uHHmoNRiO77eknHXmpk6vbzec/rTV7yr
         kepA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=yHvzrd1ko8bT/rLvfOe6xTk+KVZ/CieWVqR+uGCIwck=;
        b=qCbUeB9PcratZvvI/1Aas1XxIX7AZWCdML0IqXnsAnOWkds3F+7t3kq7N9VGtO1uG3
         9segKLhOR5AHhDHvJzXIIXiJkb/5oHzkPb/cQOkufbe84c+bFjumsTxoo3Aw8vpqcaeY
         /WBSs454Y0zJz3LD+2MSUG6k1uSyVSAytt1QzHjI7Ikb31Z8kxPoH7xCK4ijpHnWxFxc
         RQXnF6BPQOMabT9WNyjmIq3VpZnNHXpCqJMg72H6D0m8lSyD69R8x07NPwB8ZfiGMvCo
         OXP7f/KMcwRPuRf/uvniBJCCP3c/KXYFw438p13pgee6kE7sLmznBYu8nyB+wRQfFonl
         Tg1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=fy3LYR0m;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s8si13685183ejq.612.2021.04.26.07.09.46;
        Mon, 26 Apr 2021 07:10:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=fy3LYR0m;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233755AbhDZOHM (ORCPT <rfc822;liujingjun001@gmail.com>
        + 99 others); Mon, 26 Apr 2021 10:07:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41534 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232575AbhDZOHJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Apr 2021 10:07:09 -0400
Received: from ustc.edu.cn (email6.ustc.edu.cn [IPv6:2001:da8:d800::8])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 550FCC061574;
        Mon, 26 Apr 2021 07:06:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mail.ustc.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date:
        Message-Id:MIME-Version:Content-Transfer-Encoding; bh=yHvzrd1ko8
        bT/rLvfOe6xTk+KVZ/CieWVqR+uGCIwck=; b=fy3LYR0m4E/Dhy/FMGqzZYQ+Wq
        LLKgXV6d5/mUyVopAHfORzZAnXdRcSN4/hvYIJRdhKMA5VGGnqtPSy4iuYKZ10K5
        3z3XDJGYlPQhLoAgpW98/hkExXggFH1/Mme5nui+94czgWPVkilvo4CCveuhcbP6
        8PBPFrXourOEOQhTo=
Received: from ubuntu.localdomain (unknown [202.38.69.14])
        by newmailweb.ustc.edu.cn (Coremail) with SMTP id LkAmygBXXzfYyIZgCUBLAA--.5813S4;
        Mon, 26 Apr 2021 22:06:16 +0800 (CST)
From:   Lv Yunlong <lyl2019@mail.ustc.edu.cn>
To:     selvin.xavier@broadcom.com, devesh.sharma@broadcom.com,
        somnath.kotur@broadcom.com, sriharsha.basavapatna@broadcom.com,
        nareshkumar.pbs@broadcom.com, dledford@redhat.com, jgg@ziepe.ca
Cc:     linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
        Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Subject: [PATCH] RDMA/bnxt_re/qplib_res: Fix a double free in bnxt_qplib_alloc_res
Date:   Mon, 26 Apr 2021 07:06:14 -0700
Message-Id: <20210426140614.6722-1-lyl2019@mail.ustc.edu.cn>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: LkAmygBXXzfYyIZgCUBLAA--.5813S4
X-Coremail-Antispam: 1UD129KBjvJXoW7GFWrWFy5GF48tw4ftw1kXwb_yoW8Jry3pr
        47Wr90kr98JFs2kF42q3yUCr45A3srJ34vgay2k3y3C3Z5Zas7tF1kGasrtF9IyFZ8Kr1I
        kwnxXw4UKFy7uF7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUUB014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j
        6r4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV
        Cq3wAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC
        0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr
        1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IE
        rcIFxwACI402YVCY1x02628vn2kIc2xKxwCY02Avz4vE14v_Xryl42xK82IYc2Ij64vIr4
        1l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK
        67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI
        8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAv
        wI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I
        0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUYZXODUUUU
X-CM-SenderInfo: ho1ojiyrz6zt1loo32lwfovvfxof0/
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In bnxt_qplib_alloc_res, it calls bnxt_qplib_alloc_dpi_tbl().
Inside bnxt_qplib_alloc_dpi_tbl, dpit->dbr_bar_reg_iomem is freed via
pci_iounmap() in unmap_io error branch. After the callee returns err code,
bnxt_qplib_alloc_res calls bnxt_qplib_free_res()->bnxt_qplib_free_dpi_tbl()
in fail branch. Then dpit->dbr_bar_reg_iomem is freed in the second time by
pci_iounmap().

My patch set dpit->dbr_bar_reg_iomem to NULL after it is freed by pci_iounmap()
in the first time, to avoid the double free.

Fixes: 1ac5a40479752 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
 drivers/infiniband/hw/bnxt_re/qplib_res.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index fa7878336100..3ca47004b752 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -854,6 +854,7 @@ static int bnxt_qplib_alloc_dpi_tbl(struct bnxt_qplib_res     *res,
 
 unmap_io:
 	pci_iounmap(res->pdev, dpit->dbr_bar_reg_iomem);
+	dpit->dbr_bar_reg_iomem = NULL;
 	return -ENOMEM;
 }
 
-- 
2.25.1