* [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
@ 2019-01-05 13:06 Dan Carpenter
2019-01-05 16:24 ` Chuck Lever
0 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2019-01-05 13:06 UTC (permalink / raw)
To: J. Bruce Fields, Chuck Lever
Cc: Jeff Layton, Trond Myklebust, Anna Schumaker, linux-nfs, kernel-janitors
The clean up is handled by the caller, rpcrdma_buffer_create(), so this
call to rpcrdma_sendctxs_destroy() leads to a double free.
Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/sunrpc/xprtrdma/verbs.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 3dde05892c8e..4994e75945b8 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
for (i = 0; i <= buf->rb_sc_last; i++) {
sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
if (!sc)
- goto out_destroy;
+ return -ENOMEM;
sc->sc_xprt = r_xprt;
buf->rb_sc_ctxs[i] = sc;
}
return 0;
-
-out_destroy:
- rpcrdma_sendctxs_destroy(buf);
- return -ENOMEM;
}
/* The sendctx queue is not guaranteed to have a size that is a
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-05 13:06 [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create() Dan Carpenter
@ 2019-01-05 16:24 ` Chuck Lever
2019-01-07 17:22 ` Bruce Fields
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Chuck Lever @ 2019-01-05 16:24 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bruce Fields, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
> On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> call to rpcrdma_sendctxs_destroy() leads to a double free.
True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
should be made more careful about being called twice. Hm.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> net/sunrpc/xprtrdma/verbs.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> index 3dde05892c8e..4994e75945b8 100644
> --- a/net/sunrpc/xprtrdma/verbs.c
> +++ b/net/sunrpc/xprtrdma/verbs.c
> @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> for (i = 0; i <= buf->rb_sc_last; i++) {
> sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> if (!sc)
> - goto out_destroy;
> + return -ENOMEM;
>
> sc->sc_xprt = r_xprt;
> buf->rb_sc_ctxs[i] = sc;
> }
>
> return 0;
> -
> -out_destroy:
> - rpcrdma_sendctxs_destroy(buf);
> - return -ENOMEM;
> }
>
> /* The sendctx queue is not guaranteed to have a size that is a
> --
> 2.17.1
>
--
Chuck Lever
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-05 16:24 ` Chuck Lever
@ 2019-01-07 17:22 ` Bruce Fields
2019-01-07 22:21 ` Schumaker, Anna
2019-01-07 18:41 ` Dan Carpenter
2019-01-07 19:08 ` [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust Dan Carpenter
2 siblings, 1 reply; 7+ messages in thread
From: Bruce Fields @ 2019-01-07 17:22 UTC (permalink / raw)
To: Chuck Lever
Cc: Dan Carpenter, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
>
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
>
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
>
> Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
I'm assuming Trond or Anna will pick this up.--b.
>
>
> > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send arguments")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > net/sunrpc/xprtrdma/verbs.c | 6 +-----
> > 1 file changed, 1 insertion(+), 5 deletions(-)
> >
> > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> > index 3dde05892c8e..4994e75945b8 100644
> > --- a/net/sunrpc/xprtrdma/verbs.c
> > +++ b/net/sunrpc/xprtrdma/verbs.c
> > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
> > for (i = 0; i <= buf->rb_sc_last; i++) {
> > sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> > if (!sc)
> > - goto out_destroy;
> > + return -ENOMEM;
> >
> > sc->sc_xprt = r_xprt;
> > buf->rb_sc_ctxs[i] = sc;
> > }
> >
> > return 0;
> > -
> > -out_destroy:
> > - rpcrdma_sendctxs_destroy(buf);
> > - return -ENOMEM;
> > }
> >
> > /* The sendctx queue is not guaranteed to have a size that is a
> > --
> > 2.17.1
> >
>
> --
> Chuck Lever
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-07 17:22 ` Bruce Fields
@ 2019-01-07 22:21 ` Schumaker, Anna
0 siblings, 0 replies; 7+ messages in thread
From: Schumaker, Anna @ 2019-01-07 22:21 UTC (permalink / raw)
To: bfields, chuck.lever
Cc: dan.carpenter, trond.myklebust, linux-nfs, jlayton, kernel-janitors
On Mon, 2019-01-07 at 12:22 -0500, Bruce Fields wrote:
> On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
> > > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com>
> > > wrote:
> > >
> > > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > > call to rpcrdma_sendctxs_destroy() leads to a double free.
> >
> > True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> > should be made more careful about being called twice. Hm.
> >
> > Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
>
> I'm assuming Trond or Anna will pick this up.--b.
Yeah, I'll take this one and 1/2 for a 5.0-rc. I might save the additional
cleanup patch Dan sent for 5.1
Anna
>
> >
> > > Fixes: ae72950abf99 ("xprtrdma: Add data structure to manage RDMA Send
> > > arguments")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > ---
> > > net/sunrpc/xprtrdma/verbs.c | 6 +-----
> > > 1 file changed, 1 insertion(+), 5 deletions(-)
> > >
> > > diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> > > index 3dde05892c8e..4994e75945b8 100644
> > > --- a/net/sunrpc/xprtrdma/verbs.c
> > > +++ b/net/sunrpc/xprtrdma/verbs.c
> > > @@ -845,17 +845,13 @@ static int rpcrdma_sendctxs_create(struct
> > > rpcrdma_xprt *r_xprt)
> > > for (i = 0; i <= buf->rb_sc_last; i++) {
> > > sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
> > > if (!sc)
> > > - goto out_destroy;
> > > + return -ENOMEM;
> > >
> > > sc->sc_xprt = r_xprt;
> > > buf->rb_sc_ctxs[i] = sc;
> > > }
> > >
> > > return 0;
> > > -
> > > -out_destroy:
> > > - rpcrdma_sendctxs_destroy(buf);
> > > - return -ENOMEM;
> > > }
> > >
> > > /* The sendctx queue is not guaranteed to have a size that is a
> > > --
> > > 2.17.1
> > >
> >
> > --
> > Chuck Lever
> >
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create()
2019-01-05 16:24 ` Chuck Lever
2019-01-07 17:22 ` Bruce Fields
@ 2019-01-07 18:41 ` Dan Carpenter
2019-01-07 19:08 ` [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust Dan Carpenter
2 siblings, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2019-01-07 18:41 UTC (permalink / raw)
To: Chuck Lever
Cc: Bruce Fields, Jeff Layton, Trond Myklebust, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
On Sat, Jan 05, 2019 at 11:24:45AM -0500, Chuck Lever wrote:
>
> > On Jan 5, 2019, at 8:06 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > The clean up is handled by the caller, rpcrdma_buffer_create(), so this
> > call to rpcrdma_sendctxs_destroy() leads to a double free.
>
> True. This fix is adequate, but I'm wondering if rpcrdma_sendctxs_destroy
> should be made more careful about being called twice. Hm.
>
I actually wrote the patch like that originally, but then this way made
for an easier patch description so I re-wrote it. Let me send the other
patch and you can apply that or both if you want.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust
2019-01-05 16:24 ` Chuck Lever
2019-01-07 17:22 ` Bruce Fields
2019-01-07 18:41 ` Dan Carpenter
@ 2019-01-07 19:08 ` Dan Carpenter
2019-01-07 21:25 ` Chuck Lever
2 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2019-01-07 19:08 UTC (permalink / raw)
To: Trond Myklebust
Cc: Jeff Layton, Trond Myklebust, Anna Schumaker, Chuck Lever,
linux-nfs, kernel-janitors
There was a double free in the error handling here recently. It was
a bit subtle which function was supposed to call rpcrdma_sendctxs_destroy()
so it was called in both.
This patch makes it so we can call rpcrdma_sendctxs_destroy() twice
in a row without crashing.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/sunrpc/xprtrdma/verbs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 7749a2bf6887..d05f4885548d 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -802,9 +802,12 @@ static void rpcrdma_sendctxs_destroy(struct rpcrdma_buffer *buf)
{
unsigned long i;
+ if (!buf->rb_sc_ctxs)
+ return;
for (i = 0; i <= buf->rb_sc_last; i++)
kfree(buf->rb_sc_ctxs[i]);
kfree(buf->rb_sc_ctxs);
+ buf->rb_sc_ctxs = NULL;
}
static struct rpcrdma_sendctx *rpcrdma_sendctx_create(struct rpcrdma_ia *ia)
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust
2019-01-07 19:08 ` [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust Dan Carpenter
@ 2019-01-07 21:25 ` Chuck Lever
0 siblings, 0 replies; 7+ messages in thread
From: Chuck Lever @ 2019-01-07 21:25 UTC (permalink / raw)
To: Dan Carpenter
Cc: Trond Myklebust, Jeff Layton, Anna Schumaker,
Linux NFS Mailing List, kernel-janitors
> On Jan 7, 2019, at 2:08 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> There was a double free in the error handling here recently. It was
> a bit subtle which function was supposed to call rpcrdma_sendctxs_destroy()
> so it was called in both.
>
> This patch makes it so we can call rpcrdma_sendctxs_destroy() twice
> in a row without crashing.
Belt-and-braces. I think the other patch "must" be applied, and this
one "should" be applied.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> net/sunrpc/xprtrdma/verbs.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
> index 7749a2bf6887..d05f4885548d 100644
> --- a/net/sunrpc/xprtrdma/verbs.c
> +++ b/net/sunrpc/xprtrdma/verbs.c
> @@ -802,9 +802,12 @@ static void rpcrdma_sendctxs_destroy(struct rpcrdma_buffer *buf)
> {
> unsigned long i;
>
> + if (!buf->rb_sc_ctxs)
> + return;
> for (i = 0; i <= buf->rb_sc_last; i++)
> kfree(buf->rb_sc_ctxs[i]);
> kfree(buf->rb_sc_ctxs);
> + buf->rb_sc_ctxs = NULL;
> }
>
> static struct rpcrdma_sendctx *rpcrdma_sendctx_create(struct rpcrdma_ia *ia)
> --
> 2.17.1
>
--
Chuck Lever
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-01-07 22:21 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-05 13:06 [PATCH 2/2] xprtrdma: Double free in rpcrdma_sendctxs_create() Dan Carpenter
2019-01-05 16:24 ` Chuck Lever
2019-01-07 17:22 ` Bruce Fields
2019-01-07 22:21 ` Schumaker, Anna
2019-01-07 18:41 ` Dan Carpenter
2019-01-07 19:08 ` [PATCH] xprtrdma: Make rpcrdma_sendctxs_destroy() more robust Dan Carpenter
2019-01-07 21:25 ` Chuck Lever
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).