Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38FFCC43387 for ; Mon, 7 Jan 2019 17:22:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0D4142089F for ; Mon, 7 Jan 2019 17:22:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727597AbfAGRWx (ORCPT ); Mon, 7 Jan 2019 12:22:53 -0500 Received: from fieldses.org ([173.255.197.46]:44626 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726676AbfAGRWx (ORCPT ); Mon, 7 Jan 2019 12:22:53 -0500 Received: by fieldses.org (Postfix, from userid 2815) id 47F911C20; Mon, 7 Jan 2019 12:22:53 -0500 (EST) Date: Mon, 7 Jan 2019 12:22:53 -0500 From: Bruce Fields To: Chuck Lever Cc: Dan Carpenter , Jeff Layton , Trond Myklebust , Anna Schumaker , Linux NFS Mailing List , kernel-janitors@vger.kernel.org Subject: Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create() Message-ID: <20190107172253.GA7196@fieldses.org> References: <20190105130648.GC3288@kadam> <0CEEB35A-2083-4888-9035-8A9ADF22E8E3@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0CEEB35A-2083-4888-9035-8A9ADF22E8E3@oracle.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote: > > > On Jan 5, 2019, at 8:06 AM, Dan Carpenter wrote: > > > > The clean up is handled by the caller, rpcrdma_buffer_create(), so this > > call to rpcrdma_sendctxs_destroy() leads to a double free. > > True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy > should be made more careful about being called twice. Hm. > > Reviewed-by: Chuck Lever I'm assuming Trond or Anna will pick this up.--b. > > > > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments") > > Signed-off-by: Dan Carpenter > > --- > > net/sunrpc/xprtrdma/verbs.c | 6 +----- > > 1 file changed, 1 insertion(+), 5 deletions(-) > > > > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c > > index 3dde05892c8e..4994e75945b8 100644 > > --- a/net/sunrpc/xprtrdma/verbs.c > > +++ b/net/sunrpc/xprtrdma/verbs.c > > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt) > > for (i = 0; i <= buf->rb_sc_last; i++) { > > sc = rpcrdma_sendctx_create(&r_xprt->rx_ia); > > if (!sc) > > - goto out_destroy; > > + return -ENOMEM; > > > > sc->sc_xprt = r_xprt; > > buf->rb_sc_ctxs[i] = sc; > > } > > > > return 0; > > - > > -out_destroy: > > - rpcrdma_sendctxs_destroy(buf); > > - return -ENOMEM; > > } > > > > /* The sendctx queue is not guaranteed to have a size that is a > > -- > > 2.17.1 > > > > -- > Chuck Lever > >