Skip to content

Commit

Permalink
RDMA/rxe: Prevent double freeing rxe_map_set()
Browse files Browse the repository at this point in the history
The same rxe_map_set could be freed twice:

rxe_reg_user_mr()
  -> rxe_mr_init_user()
    -> rxe_mr_free_map_set() # 1st

  -> rxe_drop_ref()
   ...
    -> rxe_mr_cleanup()
      -> rxe_mr_free_map_set() # 2nd

Follow normal convection and put resource cleanup either in the error
unwind of the allocator, or the overall free function. Leave the object
unchanged with a NULL cur_map_set on failure and remove the unncessary
free in rxe_mr_init_user().

Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Li Zhijian <[email protected]>
Acked-by: Zhu Yanjun <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
  • Loading branch information
zhijianli88 authored and jgunthorpe committed Jan 4, 2022
1 parent c9e6606 commit 8ff5f5d
Showing 1 changed file with 7 additions and 9 deletions.
16 changes: 7 additions & 9 deletions drivers/infiniband/sw/rxe/rxe_mr.c
Original file line number Diff line number Diff line change
Expand Up @@ -135,19 +135,19 @@ static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf, int both)

ret = rxe_mr_alloc_map_set(num_map, &mr->cur_map_set);
if (ret)
goto err_out;
return -ENOMEM;

if (both) {
ret = rxe_mr_alloc_map_set(num_map, &mr->next_map_set);
if (ret) {
rxe_mr_free_map_set(mr->num_map, mr->cur_map_set);
goto err_out;
}
if (ret)
goto err_free;
}

return 0;

err_out:
err_free:
rxe_mr_free_map_set(mr->num_map, mr->cur_map_set);
mr->cur_map_set = NULL;
return -ENOMEM;
}

Expand Down Expand Up @@ -214,7 +214,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova,
pr_warn("%s: Unable to get virtual address\n",
__func__);
err = -ENOMEM;
goto err_cleanup_map;
goto err_release_umem;
}

buf->addr = (uintptr_t)vaddr;
Expand All @@ -237,8 +237,6 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova,

return 0;

err_cleanup_map:
rxe_mr_free_map_set(mr->num_map, mr->cur_map_set);
err_release_umem:
ib_umem_release(umem);
err_out:
Expand Down

0 comments on commit 8ff5f5d

Please sign in to comment.