* [PATCH v1,for-rc] RDMA/siw: free siw_base_qp in kref release routine
@ 2019-10-07 10:42 Krishnamraju Eraparaju
2019-10-18 18:50 ` Doug Ledford
0 siblings, 1 reply; 2+ messages in thread
From: Krishnamraju Eraparaju @ 2019-10-07 10:42 UTC (permalink / raw)
To: jgg, bmt; +Cc: linux-rdma, bharat, nirranjan, Krishnamraju Eraparaju
As siw_free_qp() is the last routine to access 'siw_base_qp' structure,
freeing this structure early in siw_destroy_qp() could cause
touch-after-free issue.
Hence, moved kfree(siw_base_qp) from siw_destroy_qp() to siw_free_qp().
Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
Signed-off-by: Krishnamraju Eraparaju <krishna2@chelsio.com>
---
v0 -> v1:
- added "Fixes" line.
---
drivers/infiniband/sw/siw/siw_qp.c | 2 ++
drivers/infiniband/sw/siw/siw_verbs.c | 2 --
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_qp.c b/drivers/infiniband/sw/siw/siw_qp.c
index 430314c8abd9..c317f6e18ea8 100644
--- a/drivers/infiniband/sw/siw/siw_qp.c
+++ b/drivers/infiniband/sw/siw/siw_qp.c
@@ -1305,6 +1305,7 @@ int siw_qp_add(struct siw_device *sdev, struct siw_qp *qp)
void siw_free_qp(struct kref *ref)
{
struct siw_qp *found, *qp = container_of(ref, struct siw_qp, ref);
+ struct siw_base_qp *siw_base_qp = to_siw_base_qp(qp->ib_qp);
struct siw_device *sdev = qp->sdev;
unsigned long flags;
@@ -1327,4 +1328,5 @@ void siw_free_qp(struct kref *ref)
atomic_dec(&sdev->num_qp);
siw_dbg_qp(qp, "free QP\n");
kfree_rcu(qp, rcu);
+ kfree(siw_base_qp);
}
diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c
index 869e02b69a01..b18a677832e1 100644
--- a/drivers/infiniband/sw/siw/siw_verbs.c
+++ b/drivers/infiniband/sw/siw/siw_verbs.c
@@ -604,7 +604,6 @@ int siw_verbs_modify_qp(struct ib_qp *base_qp, struct ib_qp_attr *attr,
int siw_destroy_qp(struct ib_qp *base_qp, struct ib_udata *udata)
{
struct siw_qp *qp = to_siw_qp(base_qp);
- struct siw_base_qp *siw_base_qp = to_siw_base_qp(base_qp);
struct siw_ucontext *uctx =
rdma_udata_to_drv_context(udata, struct siw_ucontext,
base_ucontext);
@@ -641,7 +640,6 @@ int siw_destroy_qp(struct ib_qp *base_qp, struct ib_udata *udata)
qp->scq = qp->rcq = NULL;
siw_qp_put(qp);
- kfree(siw_base_qp);
return 0;
}
--
2.23.0.rc0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v1,for-rc] RDMA/siw: free siw_base_qp in kref release routine
2019-10-07 10:42 [PATCH v1,for-rc] RDMA/siw: free siw_base_qp in kref release routine Krishnamraju Eraparaju
@ 2019-10-18 18:50 ` Doug Ledford
0 siblings, 0 replies; 2+ messages in thread
From: Doug Ledford @ 2019-10-18 18:50 UTC (permalink / raw)
To: Krishnamraju Eraparaju, jgg, bmt; +Cc: linux-rdma, bharat, nirranjan
[-- Attachment #1: Type: text/plain, Size: 616 bytes --]
On Mon, 2019-10-07 at 16:12 +0530, Krishnamraju Eraparaju wrote:
> As siw_free_qp() is the last routine to access 'siw_base_qp'
> structure,
> freeing this structure early in siw_destroy_qp() could cause
> touch-after-free issue.
> Hence, moved kfree(siw_base_qp) from siw_destroy_qp() to
> siw_free_qp().
>
> Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
> Signed-off-by: Krishnamraju Eraparaju <krishna2@chelsio.com>
Thanks, applied to for-rc.
--
Doug Ledford <dledford@redhat.com>
GPG KeyID: B826A3330E572FDD
Fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-10-18 18:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-07 10:42 [PATCH v1,for-rc] RDMA/siw: free siw_base_qp in kref release routine Krishnamraju Eraparaju
2019-10-18 18:50 ` Doug Ledford
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.