* [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
@ 2019-01-05 13:06 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2019-01-05 13:06 UTC (permalink / raw)
To: J. Bruce Fields, Chuck Lever
Cc: Jeff Layton, Trond Myklebust, Anna Schumaker, linux-nfs, kernel-janitors
The clean up is handled by the caller, rpcrdma_buffer_create(), so this
call to rpcrdma_sendctxs_destroy() leads to a double free.
Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/sunrpc/xprtrdma/verbs.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 3dde05892c8e..4994e75945b8 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
for (i = 0; i <= buf->rb_sc_last; i++) {
sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
if (!sc)
- goto out_destroy;
+ return -ENOMEM;
sc->sc_xprt = r_xprt;
buf->rb_sc_ctxs[i] = sc;
}
return 0;
-
-out_destroy:
- rpcrdma_sendctxs_destroy(buf);
- return -ENOMEM;
}
/* The sendctx queue is not guaranteed to have a size that is a
--
2.17.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
@ 2019-01-05 13:06 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2019-01-05 13:06 UTC (permalink / raw)
To: J. Bruce Fields, Chuck Lever
Cc: Jeff Layton, Trond Myklebust, Anna Schumaker, linux-nfs, kernel-janitors
The clean up is handled by the caller, rpcrdma_buffer_create(), so this
call to rpcrdma_sendctxs_destroy() leads to a double free.
Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/sunrpc/xprtrdma/verbs.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 3dde05892c8e..4994e75945b8 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
for (i = 0; i <= buf->rb_sc_last; i++) {
sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
if (!sc)
- goto out_destroy;
+ return -ENOMEM;
sc->sc_xprt = r_xprt;
buf->rb_sc_ctxs[i] = sc;
}
return 0;
-
-out_destroy:
- rpcrdma_sendctxs_destroy(buf);
- return -ENOMEM;
}
/* The sendctx queue is not guaranteed to have a size that is a
--
2.17.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-05 13:06 ` Dan Carpenter
@ 2019-01-05 16:24 ` Chuck Lever
-1 siblings, 0 replies; 14+ messages in thread
From: Chuck Lever @ 2019-01-05 16:24 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bruce Fields, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
> On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> call to rpcrdma_sendctxs_destroy() leads to a double free.
True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
should be made more careful about being called twice. Hm.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> net/sunrpc/xprtrdma/verbs.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> index 3dde05892c8e..4994e75945b8 100644
> --- a/net/sunrpc/xprtrdma/verbs.c
> +++ b/net/sunrpc/xprtrdma/verbs.c
> @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> for (i = 0; i <= buf->rb_sc_last; i++) {
> sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> if (!sc)
> - goto out_destroy;
> + return -ENOMEM;
>
> sc->sc_xprt = r_xprt;
> buf->rb_sc_ctxs[i] = sc;
> }
>
> return 0;
> -
> -out_destroy:
> - rpcrdma_sendctxs_destroy(buf);
> - return -ENOMEM;
> }
>
> /* The sendctx queue is not guaranteed to have a size that is a
> --
> 2.17.1
>
--
Chuck Lever
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
@ 2019-01-05 16:24 ` Chuck Lever
0 siblings, 0 replies; 14+ messages in thread
From: Chuck Lever @ 2019-01-05 16:24 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bruce Fields, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
> On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> call to rpcrdma_sendctxs_destroy() leads to a double free.
True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
should be made more careful about being called twice. Hm.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> net/sunrpc/xprtrdma/verbs.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> index 3dde05892c8e..4994e75945b8 100644
> --- a/net/sunrpc/xprtrdma/verbs.c
> +++ b/net/sunrpc/xprtrdma/verbs.c
> @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> for (i = 0; i <= buf->rb_sc_last; i++) {
> sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> if (!sc)
> - goto out_destroy;
> + return -ENOMEM;
>
> sc->sc_xprt = r_xprt;
> buf->rb_sc_ctxs[i] = sc;
> }
>
> return 0;
> -
> -out_destroy:
> - rpcrdma_sendctxs_destroy(buf);
> - return -ENOMEM;
> }
>
> /* The sendctx queue is not guaranteed to have a size that is a
> --
> 2.17.1
>
--
Chuck Lever
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-05 16:24 ` Chuck Lever
@ 2019-01-07 17:22 ` Bruce Fields
-1 siblings, 0 replies; 14+ messages in thread
From: Bruce Fields @ 2019-01-07 17:22 UTC (permalink / raw)
To: Chuck Lever
Cc: Dan Carpenter, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
>
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
>
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
>
> Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
I'm assuming Trond or Anna will pick this up.--b.
>
>
> > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > net/sunrpc/xprtrdma/verbs.c | 6 +-----
> > 1 file changed, 1 insertion(+), 5 deletions(-)
> >
> > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> > index 3dde05892c8e..4994e75945b8 100644
> > --- a/net/sunrpc/xprtrdma/verbs.c
> > +++ b/net/sunrpc/xprtrdma/verbs.c
> > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> > for (i = 0; i <= buf->rb_sc_last; i++) {
> > sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> > if (!sc)
> > - goto out_destroy;
> > + return -ENOMEM;
> >
> > sc->sc_xprt = r_xprt;
> > buf->rb_sc_ctxs[i] = sc;
> > }
> >
> > return 0;
> > -
> > -out_destroy:
> > - rpcrdma_sendctxs_destroy(buf);
> > - return -ENOMEM;
> > }
> >
> > /* The sendctx queue is not guaranteed to have a size that is a
> > --
> > 2.17.1
> >
>
> --
> Chuck Lever
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
@ 2019-01-07 17:22 ` Bruce Fields
0 siblings, 0 replies; 14+ messages in thread
From: Bruce Fields @ 2019-01-07 17:22 UTC (permalink / raw)
To: Chuck Lever
Cc: Dan Carpenter, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
>
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
>
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
>
> Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
I'm assuming Trond or Anna will pick this up.--b.
>
>
> > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > net/sunrpc/xprtrdma/verbs.c | 6 +-----
> > 1 file changed, 1 insertion(+), 5 deletions(-)
> >
> > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> > index 3dde05892c8e..4994e75945b8 100644
> > --- a/net/sunrpc/xprtrdma/verbs.c
> > +++ b/net/sunrpc/xprtrdma/verbs.c
> > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> > for (i = 0; i <= buf->rb_sc_last; i++) {
> > sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> > if (!sc)
> > - goto out_destroy;
> > + return -ENOMEM;
> >
> > sc->sc_xprt = r_xprt;
> > buf->rb_sc_ctxs[i] = sc;
> > }
> >
> > return 0;
> > -
> > -out_destroy:
> > - rpcrdma_sendctxs_destroy(buf);
> > - return -ENOMEM;
> > }
> >
> > /* The sendctx queue is not guaranteed to have a size that is a
> > --
> > 2.17.1
> >
>
> --
> Chuck Lever
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-05 16:24 ` Chuck Lever
@ 2019-01-07 18:41 ` Dan Carpenter
-1 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2019-01-07 18:41 UTC (permalink / raw)
To: Chuck Lever
Cc: Bruce Fields, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
>
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
>
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
>
I actually wrote the patch like that originally, but then this way made
for an easier patch description so I re-wrote it. Let me send the other
patch and you can apply that or both if you want.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
@ 2019-01-07 18:41 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2019-01-07 18:41 UTC (permalink / raw)
To: Chuck Lever
Cc: Bruce Fields, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
>
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
>
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
>
I actually wrote the patch like that originally, but then this way made
for an easier patch description so I re-wrote it. Let me send the other
patch and you can apply that or both if you want.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust
2019-01-05 16:24 ` Chuck Lever
@ 2019-01-07 19:08 ` Dan Carpenter
-1 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2019-01-07 19:08 UTC (permalink / raw)
To: Trond Myklebust
Cc: Jeff Layton, Anna Schumaker, Chuck Lever, linux-nfs, kernel-janitors
There was a double free in the error handling here recently. It was
a bit subtle which function was supposed to call rpcrdma_sendctxs_destroy()
so it was called in both.
This patch makes it so we can call rpcrdma_sendctxs_destroy() twice
in a row without crashing.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/sunrpc/xprtrdma/verbs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 7749a2bf6887..d05f4885548d 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -802,9 +802,12 @@ static void rpcrdma_sendctxs_destroy(struct rpcrdma_buffer *buf)
{
unsigned long i;
+ if (!buf->rb_sc_ctxs)
+ return;
for (i = 0; i <= buf->rb_sc_last; i++)
kfree(buf->rb_sc_ctxs[i]);
kfree(buf->rb_sc_ctxs);
+ buf->rb_sc_ctxs = NULL;
}
static struct rpcrdma_sendctx *rpcrdma_sendctx_create(struct rpcrdma_ia *ia)
--
2.17.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust
@ 2019-01-07 19:08 ` Dan Carpenter
0 siblings, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2019-01-07 19:08 UTC (permalink / raw)
To: Trond Myklebust
Cc: Jeff Layton, Trond Myklebust, Anna Schumaker, Chuck Lever,
linux-nfs, kernel-janitors
There was a double free in the error handling here recently. It was
a bit subtle which function was supposed to call rpcrdma_sendctxs_destroy()
so it was called in both.
This patch makes it so we can call rpcrdma_sendctxs_destroy() twice
in a row without crashing.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/sunrpc/xprtrdma/verbs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 7749a2bf6887..d05f4885548d 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -802,9 +802,12 @@ static void rpcrdma_sendctxs_destroy(struct rpcrdma_buffer *buf)
{
unsigned long i;
+ if (!buf->rb_sc_ctxs)
+ return;
for (i = 0; i <= buf->rb_sc_last; i++)
kfree(buf->rb_sc_ctxs[i]);
kfree(buf->rb_sc_ctxs);
+ buf->rb_sc_ctxs = NULL;
}
static struct rpcrdma_sendctx *rpcrdma_sendctx_create(struct rpcrdma_ia *ia)
--
2.17.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust
2019-01-07 19:08 ` Dan Carpenter
@ 2019-01-07 21:25 ` Chuck Lever
-1 siblings, 0 replies; 14+ messages in thread
From: Chuck Lever @ 2019-01-07 21:25 UTC (permalink / raw)
To: Dan Carpenter
Cc: Trond Myklebust, Jeff Layton, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
> On Jan 7, 2019, at 2:08 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> There was a double free in the error handling here recently. It was
> a bit subtle which function was supposed to call rpcrdma_sendctxs_destroy()
> so it was called in both.
>
> This patch makes it so we can call rpcrdma_sendctxs_destroy() twice
> in a row without crashing.
Belt-and-braces. I think the other patch "must" be applied, and this
one "should" be applied.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> net/sunrpc/xprtrdma/verbs.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> index 7749a2bf6887..d05f4885548d 100644
> --- a/net/sunrpc/xprtrdma/verbs.c
> +++ b/net/sunrpc/xprtrdma/verbs.c
> @@ -802,9 +802,12 @@ static void rpcrdma_sendctxs_destroy(struct rpcrdma_buffer *buf)
> {
> unsigned long i;
>
> + if (!buf->rb_sc_ctxs)
> + return;
> for (i = 0; i <= buf->rb_sc_last; i++)
> kfree(buf->rb_sc_ctxs[i]);
> kfree(buf->rb_sc_ctxs);
> + buf->rb_sc_ctxs = NULL;
> }
>
> static struct rpcrdma_sendctx *rpcrdma_sendctx_create(struct rpcrdma_ia *ia)
> --
> 2.17.1
>
--
Chuck Lever
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust
@ 2019-01-07 21:25 ` Chuck Lever
0 siblings, 0 replies; 14+ messages in thread
From: Chuck Lever @ 2019-01-07 21:25 UTC (permalink / raw)
To: Dan Carpenter
Cc: Trond Myklebust, Jeff Layton, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
> On Jan 7, 2019, at 2:08 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> There was a double free in the error handling here recently. It was
> a bit subtle which function was supposed to call rpcrdma_sendctxs_destroy()
> so it was called in both.
>
> This patch makes it so we can call rpcrdma_sendctxs_destroy() twice
> in a row without crashing.
Belt-and-braces. I think the other patch "must" be applied, and this
one "should" be applied.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> net/sunrpc/xprtrdma/verbs.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> index 7749a2bf6887..d05f4885548d 100644
> --- a/net/sunrpc/xprtrdma/verbs.c
> +++ b/net/sunrpc/xprtrdma/verbs.c
> @@ -802,9 +802,12 @@ static void rpcrdma_sendctxs_destroy(struct rpcrdma_buffer *buf)
> {
> unsigned long i;
>
> + if (!buf->rb_sc_ctxs)
> + return;
> for (i = 0; i <= buf->rb_sc_last; i++)
> kfree(buf->rb_sc_ctxs[i]);
> kfree(buf->rb_sc_ctxs);
> + buf->rb_sc_ctxs = NULL;
> }
>
> static struct rpcrdma_sendctx *rpcrdma_sendctx_create(struct rpcrdma_ia *ia)
> --
> 2.17.1
>
--
Chuck Lever
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-07 17:22 ` Bruce Fields
@ 2019-01-07 22:21 ` Schumaker, Anna
-1 siblings, 0 replies; 14+ messages in thread
From: Schumaker, Anna @ 2019-01-07 22:21 UTC (permalink / raw)
To: bfields, chuck.lever
Cc: dan.carpenter, trond.myklebust, linux-nfs, jlayton, kernel-janitors
DQpPbiBNb24sIDIwMTktMDEtMDcgYXQgMTI6MjIgLTA1MDAsIEJydWNlIEZpZWxkcyB3cm90ZToN
Cj4gT24gU2F0LCBKYW4gMDUsIDIwMTkgYXQgMTE6MjQ6NDVBTSAtMDUwMCwgQ2h1Y2sgTGV2ZXIg
d3JvdGU6DQo+ID4gPiBPbiBKYW4gNSwgMjAxOSwgYXQgODowNiBBTSwgRGFuIENhcnBlbnRlciA8
ZGFuLmNhcnBlbnRlckBvcmFjbGUuY29tPg0KPiA+ID4gd3JvdGU6DQo+ID4gPiANCj4gPiA+IFRo
ZSBjbGVhbiB1cCBpcyBoYW5kbGVkIGJ5IHRoZSBjYWxsZXIsIHJwY3JkbWFfYnVmZmVyX2NyZWF0
ZSgpLCBzbyB0aGlzDQo+ID4gPiBjYWxsIHRvIHJwY3JkbWFfc2VuZGN0eHNfZGVzdHJveSgpIGxl
YWRzIHRvIGEgZG91YmxlIGZyZWUuDQo+ID4gDQo+ID4gVHJ1ZS4gVGhpcyBmaXggaXMgYWRlcXVh
dGUsIGJ1dCBJJ20gd29uZGVyaW5nIGlmIHJwY3JkbWFfc2VuZGN0eHNfZGVzdHJveQ0KPiA+IHNo
b3VsZCBiZSBtYWRlIG1vcmUgY2FyZWZ1bCBhYm91dCBiZWluZyBjYWxsZWQgdHdpY2UuIEhtLg0K
PiA+IA0KPiA+IFJldmlld2VkLWJ5OiBDaHVjayBMZXZlciA8Y2h1Y2subGV2ZXJAb3JhY2xlLmNv
bT4NCj4gDQo+IEknbSBhc3N1bWluZyBUcm9uZCBvciBBbm5hIHdpbGwgcGljayB0aGlzIHVwLi0t
Yi4NCg0KWWVhaCwgSSdsbCB0YWtlIHRoaXMgb25lIGFuZCAxLzIgZm9yIGEgNS4wLXJjLiAgSSBt
aWdodCBzYXZlIHRoZSBhZGRpdGlvbmFsDQpjbGVhbnVwIHBhdGNoIERhbiBzZW50IGZvciA1LjEN
Cg0KQW5uYQ0KDQo+IA0KPiA+IA0KPiA+ID4gRml4ZXM6IGFlNzI5NTBhYmY5OSAoInhwcnRyZG1h
OiBBZGQgZGF0YSBzdHJ1Y3R1cmUgdG8gbWFuYWdlIFJETUEgU2VuZA0KPiA+ID4gYXJndW1lbnRz
IikNCj4gPiA+IFNpZ25lZC1vZmYtYnk6IERhbiBDYXJwZW50ZXIgPGRhbi5jYXJwZW50ZXJAb3Jh
Y2xlLmNvbT4NCj4gPiA+IC0tLQ0KPiA+ID4gbmV0L3N1bnJwYy94cHJ0cmRtYS92ZXJicy5jIHwg
NiArLS0tLS0NCj4gPiA+IDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgNSBkZWxldGlv
bnMoLSkNCj4gPiA+IA0KPiA+ID4gZGlmZiAtLWdpdCBhL25ldC9zdW5ycGMveHBydHJkbWEvdmVy
YnMuYyBiL25ldC9zdW5ycGMveHBydHJkbWEvdmVyYnMuYw0KPiA+ID4gaW5kZXggM2RkZTA1ODky
YzhlLi40OTk0ZTc1OTQ1YjggMTAwNjQ0DQo+ID4gPiAtLS0gYS9uZXQvc3VucnBjL3hwcnRyZG1h
L3ZlcmJzLmMNCj4gPiA+ICsrKyBiL25ldC9zdW5ycGMveHBydHJkbWEvdmVyYnMuYw0KPiA+ID4g
QEAgLTg0NSwxNyArODQ1LDEzIEBAIHN0YXRpYyBpbnQgcnBjcmRtYV9zZW5kY3R4c19jcmVhdGUo
c3RydWN0DQo+ID4gPiBycGNyZG1hX3hwcnQgKnJfeHBydCkNCj4gPiA+IAlmb3IgKGkgPSAwOyBp
IDw9IGJ1Zi0+cmJfc2NfbGFzdDsgaSsrKSB7DQo+ID4gPiAJCXNjID0gcnBjcmRtYV9zZW5kY3R4
X2NyZWF0ZSgmcl94cHJ0LT5yeF9pYSk7DQo+ID4gPiAJCWlmICghc2MpDQo+ID4gPiAtCQkJZ290
byBvdXRfZGVzdHJveTsNCj4gPiA+ICsJCQlyZXR1cm4gLUVOT01FTTsNCj4gPiA+IA0KPiA+ID4g
CQlzYy0+c2NfeHBydCA9IHJfeHBydDsNCj4gPiA+IAkJYnVmLT5yYl9zY19jdHhzW2ldID0gc2M7
DQo+ID4gPiAJfQ0KPiA+ID4gDQo+ID4gPiAJcmV0dXJuIDA7DQo+ID4gPiAtDQo+ID4gPiAtb3V0
X2Rlc3Ryb3k6DQo+ID4gPiAtCXJwY3JkbWFfc2VuZGN0eHNfZGVzdHJveShidWYpOw0KPiA+ID4g
LQlyZXR1cm4gLUVOT01FTTsNCj4gPiA+IH0NCj4gPiA+IA0KPiA+ID4gLyogVGhlIHNlbmRjdHgg
cXVldWUgaXMgbm90IGd1YXJhbnRlZWQgdG8gaGF2ZSBhIHNpemUgdGhhdCBpcyBhDQo+ID4gPiAt
LSANCj4gPiA+IDIuMTcuMQ0KPiA+ID4gDQo+ID4gDQo+ID4gLS0NCj4gPiBDaHVjayBMZXZlcg0K
PiA+IA0KPiA+IA0K
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
@ 2019-01-07 22:21 ` Schumaker, Anna
0 siblings, 0 replies; 14+ messages in thread
From: Schumaker, Anna @ 2019-01-07 22:21 UTC (permalink / raw)
To: bfields, chuck.lever
Cc: dan.carpenter, trond.myklebust, linux-nfs, jlayton, kernel-janitors
On Mon, 2019-01-07 at 12:22 -0500, Bruce Fields wrote:
> On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
> > > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com>
> > > wrote:
> > >
> > > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > > call to rpcrdma_sendctxs_destroy() leads to a double free.
> >
> > True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> > should be made more careful about being called twice. Hm.
> >
> > Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
>
> I'm assuming Trond or Anna will pick this up.--b.
Yeah, I'll take this one and 1/2 for a 5.0-rc. I might save the additional
cleanup patch Dan sent for 5.1
Anna
>
> >
> > > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send
> > > arguments")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > ---
> > > net/sunrpc/xprtrdma/verbs.c | 6 +-----
> > > 1 file changed, 1 insertion(+), 5 deletions(-)
> > >
> > > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> > > index 3dde05892c8e..4994e75945b8 100644
> > > --- a/net/sunrpc/xprtrdma/verbs.c
> > > +++ b/net/sunrpc/xprtrdma/verbs.c
> > > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct
> > > rpcrdma_xprt *r_xprt)
> > > for (i = 0; i <= buf->rb_sc_last; i++) {
> > > sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> > > if (!sc)
> > > - goto out_destroy;
> > > + return -ENOMEM;
> > >
> > > sc->sc_xprt = r_xprt;
> > > buf->rb_sc_ctxs[i] = sc;
> > > }
> > >
> > > return 0;
> > > -
> > > -out_destroy:
> > > - rpcrdma_sendctxs_destroy(buf);
> > > - return -ENOMEM;
> > > }
> > >
> > > /* The sendctx queue is not guaranteed to have a size that is a
> > > --
> > > 2.17.1
> > >
> >
> > --
> > Chuck Lever
> >
> >
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-01-07 22:21 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-05 13:06 [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create() Dan Carpenter
2019-01-05 13:06 ` Dan Carpenter
2019-01-05 16:24 ` Chuck Lever
2019-01-05 16:24 ` Chuck Lever
2019-01-07 17:22 ` Bruce Fields
2019-01-07 17:22 ` Bruce Fields
2019-01-07 22:21 ` Schumaker, Anna
2019-01-07 22:21 ` Schumaker, Anna
2019-01-07 18:41 ` Dan Carpenter
2019-01-07 18:41 ` Dan Carpenter
2019-01-07 19:08 ` [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust Dan Carpenter
2019-01-07 19:08 ` Dan Carpenter
2019-01-07 21:25 ` Chuck Lever
2019-01-07 21:25 ` Chuck Lever
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.