All of lore.kernel.org
 help / color / mirror / Atom feed
From: maxg@mellanox.com (Max Gurtovoy)
Subject: [PATCH 1/7] nvme-rdma: fix possible double free condition when failing to create a controller
Date: Wed, 20 Jun 2018 12:06:33 +0300	[thread overview]
Message-ID: <0af01f6d-75f3-3a8c-bcca-abd6a8da3920@mellanox.com> (raw)
In-Reply-To: <20180619123415.25077-2-sagi@grimberg.me>



On 6/19/2018 3:34 PM, Sagi Grimberg wrote:
> Failures after nvme_init_ctrl will defer resource cleanups to .free_ctrl
> when the reference is released, hence we should not free the controller queues
> for these failures.

see below.

> 
> Fix that by moving controller queues allocation before controller initialization
> and correctly freeing them for failures before initialization and skip them
> for failures after initialization.
> 
> Signed-off-by: Sagi Grimberg <sagi at grimberg.me>
> ---
>   drivers/nvme/host/rdma.c | 18 +++++++++---------
>   1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
> index c9424da0d23e..99d213ea95da 100644
> --- a/drivers/nvme/host/rdma.c
> +++ b/drivers/nvme/host/rdma.c
> @@ -1932,11 +1932,6 @@ static struct nvme_ctrl *nvme_rdma_create_ctrl(struct device *dev,
>   		goto out_free_ctrl;
>   	}
>   
> -	ret = nvme_init_ctrl(&ctrl->ctrl, dev, &nvme_rdma_ctrl_ops,
> -				0 /* no quirks, we're perfect! */);
> -	if (ret)
> -		goto out_free_ctrl;
> -
>   	INIT_DELAYED_WORK(&ctrl->reconnect_work,
>   			nvme_rdma_reconnect_ctrl_work);
>   	INIT_WORK(&ctrl->err_work, nvme_rdma_error_recovery_work);
> @@ -1950,14 +1945,19 @@ static struct nvme_ctrl *nvme_rdma_create_ctrl(struct device *dev,
>   	ctrl->queues = kcalloc(ctrl->ctrl.queue_count, sizeof(*ctrl->queues),
>   				GFP_KERNEL);
>   	if (!ctrl->queues)
> -		goto out_uninit_ctrl;
> +		goto out_free_ctrl;
> +
> +	ret = nvme_init_ctrl(&ctrl->ctrl, dev, &nvme_rdma_ctrl_ops,
> +				0 /* no quirks, we're perfect! */);
> +	if (ret)
> +		goto out_kfree_queues;
>   
>   	changed = nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING);
>   	WARN_ON_ONCE(!changed);
>   
>   	ret = nvme_rdma_configure_admin_queue(ctrl, true);
>   	if (ret)
> -		goto out_kfree_queues;
> +		goto out_uninit_ctrl;
>   
>   	/* sanity check icdoff */
>   	if (ctrl->ctrl.icdoff) {
> @@ -2014,14 +2014,14 @@ static struct nvme_ctrl *nvme_rdma_create_ctrl(struct device *dev,
>   
>   out_remove_admin_queue:
>   	nvme_rdma_destroy_admin_queue(ctrl, true);
> -out_kfree_queues:
> -	kfree(ctrl->queues);
>   out_uninit_ctrl:
>   	nvme_uninit_ctrl(&ctrl->ctrl);
>   	nvme_put_ctrl(&ctrl->ctrl);
>   	if (ret > 0)
>   		ret = -EIO;
>   	return ERR_PTR(ret);

can you explain this error flow ? we'll never free the queues since the 
list &ctrl->list is empty. I guess a fix to nvme_rdma_free_ctrl is 
needed in this case.
Also, when ret will be > 0 ?


> +out_kfree_queues:
> +	kfree(ctrl->queues);
>   out_free_ctrl:
>   	kfree(ctrl);
>   	return ERR_PTR(ret);
> 

  reply	other threads:[~2018-06-20  9:06 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-19 12:34 [PATCH 0/7] few nvme-rdma fixes for 4.18 Sagi Grimberg
2018-06-19 12:34 ` [PATCH 1/7] nvme-rdma: fix possible double free condition when failing to create a controller Sagi Grimberg
2018-06-20  9:06   ` Max Gurtovoy [this message]
2018-06-20 10:41     ` Sagi Grimberg
2018-06-20 12:29       ` Christoph Hellwig
2018-06-19 12:34 ` [PATCH 2/7] nvme-rdma: fix possible free non-allocated async event buffer Sagi Grimberg
2018-06-20  8:31   ` Christoph Hellwig
2018-06-20 12:02     ` Max Gurtovoy
2018-06-24 10:40       ` [Suspected-Phishing]Re: " Max Gurtovoy
2018-06-24 16:00         ` Sagi Grimberg
2018-06-24 16:19           ` Max Gurtovoy
2018-06-19 12:34 ` [PATCH 3/7] nvme-rdma: Fix command completion race at error recovery Sagi Grimberg
2018-06-19 12:34 ` [PATCH 4/7] nvme-rdma: unquiesce queues when deleting the controller Sagi Grimberg
2018-06-21  9:57   ` Max Gurtovoy
2018-06-24 16:07     ` Sagi Grimberg
2018-06-19 12:34 ` [PATCH 5/7] nvme-rdma: don't override opts->queue_size Sagi Grimberg
2018-06-19 16:56   ` Daniel Verkamp
2018-06-19 12:34 ` [PATCH 6/7] nvme-rdma: centralize controller setup sequence Sagi Grimberg
2018-06-19 12:34 ` [PATCH 7/7] nvme-rdma: centralize admin/io queue teardown sequence Sagi Grimberg
2018-06-20  8:40 ` [PATCH 0/7] few nvme-rdma fixes for 4.18 Christoph Hellwig
2018-06-20  8:40   ` Sagi Grimberg
2018-06-20  8:52     ` Christoph Hellwig
2018-06-20  8:53       ` Sagi Grimberg
2018-06-20  9:05         ` Christoph Hellwig
2018-06-20  9:08           ` Sagi Grimberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0af01f6d-75f3-3a8c-bcca-abd6a8da3920@mellanox.com \
    --to=maxg@mellanox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.