Message ID | 20221017142652.13906-1-n.petrova@fintech.ru |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp1484833wrs; Mon, 17 Oct 2022 07:37:14 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7uNJpypesDUEmtD8TetQCbZZ1CYPnixfF92ATMBaaY+h7YLvM7h0Riue/UgQ2rncPpGaOx X-Received: by 2002:a62:e911:0:b0:555:8c06:c9eb with SMTP id j17-20020a62e911000000b005558c06c9ebmr12829528pfh.52.1666017434072; Mon, 17 Oct 2022 07:37:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666017434; cv=none; d=google.com; s=arc-20160816; b=ukS1rGkNvY4qWD9PLF0mj1NlzIKEVDMjOt6J0edi0EEUyq49GvLsleVvcbjLDV8Idk UVk8l34MXxED/xqqylFMnkfaavJFqVThklyt5NjvOutlASzTPKJs+3TiUrtBhoN9Z47+ stX7YH+K5NTfZgIoHsVLTf94hVCUzXWMdJeX95OLNM9eGzUIdfbnDGqXe2lRhG+uz4ZS NuXDEuBxU5YlWzvrn3y6lS60TFht37TCKKhO1DhGDeXFvclEVCNeCwR2ZKwKGMtBIgXe bs2DnIU/IWcxbQSx8WwcdEDM7Qvy4RetWcmMved7gI8QA3ibRYGPqTe8ym/NH6rprcp5 DLNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=p9cftWrabE+OgPfZ1NRZ+5A9AqDDE/Csory8jBYw700=; b=e55rjHYF4tbVa0kcZcJUtw34rIWbRJp2Tsi4xwBTgRHho/ora4iYOs7VD2ertJOKSV U4ywcdouOh+Zo31W1YlU0incvHWVdMBPpeoKRfXltNkhGwW/U502y3notxNTFmpuXWdf /F8OOhCcWPNIilx4hN4YpT5KgMdxX36TN3VJxVtb/fOtWi4+BfOQEgrH39KvZhFAI+JE kSKhhp5IaZ02k7QBOWmJwVeiIBcDFa4z5INv3iK8z+cWtnu5KfLpNMOuJWASRxD1mb0k z4o8nIeN/0JHd7qahpz2SuXX/kiQR1Ry4WG+l11O9BWLhHRMEHvPbft8SkXC6DNl/i3v nwpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r10-20020a1709028bca00b001789a178e33si10274334plo.428.2022.10.17.07.36.59; Mon, 17 Oct 2022 07:37:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230264AbiJQO2D (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others); Mon, 17 Oct 2022 10:28:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229738AbiJQO2B (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 17 Oct 2022 10:28:01 -0400 X-Greylist: delayed 62 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 17 Oct 2022 07:27:59 PDT Received: from exchange.fintech.ru (e10edge.fintech.ru [195.54.195.159]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37A9E6581A; Mon, 17 Oct 2022 07:27:59 -0700 (PDT) Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Mon, 17 Oct 2022 17:26:54 +0300 Received: from KANASHIN1.fintech.ru (10.0.253.125) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 17 Oct 2022 17:26:53 +0300 From: Natalia Petrova <n.petrova@fintech.ru> To: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>, "Jason Gunthorpe" <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org> CC: Natalia Petrova <n.petrova@fintech.ru>, <linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <ldv-project@linuxtesting.org>, "Alexey Khoroshilov" <khoroshilov@ispras.ru> Subject: [PATCH] rdmavt: avoid NULL pointer dereference in rvt_qp_exit() Date: Mon, 17 Oct 2022 17:26:52 +0300 Message-ID: <20221017142652.13906-1-n.petrova@fintech.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.0.253.125] X-ClientProxiedBy: Ex16-01.fintech.ru (10.0.10.18) To Ex16-01.fintech.ru (10.0.10.18) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746945896759607595?= X-GMAIL-MSGID: =?utf-8?q?1746945896759607595?= |
Series |
rdmavt: avoid NULL pointer dereference in rvt_qp_exit()
|
|
Commit Message
Natalia Petrova
Oct. 17, 2022, 2:26 p.m. UTC
rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is dereferenced before that in rvt_free_all_qps(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut down") Signed-off-by: Natalia Petrova <n.petrova@fintech.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> --- drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
Comments
On Mon, Oct 17, 2022 at 05:26:52PM +0300, Natalia Petrova wrote: > rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is > dereferenced before that in rvt_free_all_qps(). > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut > down") Please never break fixes line. > Signed-off-by: Natalia Petrova <n.petrova@fintech.ru> > Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> > --- > drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c > index 3acab569fbb9..06e755975f61 100644 > --- a/drivers/infiniband/sw/rdmavt/qp.c > +++ b/drivers/infiniband/sw/rdmavt/qp.c > @@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi) > */ > void rvt_qp_exit(struct rvt_dev_info *rdi) > { > - u32 qps_inuse = rvt_free_all_qps(rdi); > + u32 qps_inuse = 0; > + > + if (!rdi->qp_dev) > + return; > + > + qps_inuse = rvt_free_all_qps(rdi); These lines are not needed. > > if (qps_inuse) > rvt_pr_err(rdi, "QP memory leak! %u still in use\n", > qps_inuse); > - if (!rdi->qp_dev) > - return; It is enough to delete these two lines. At this stage, rdi->qp_dev always exists as it was created in rvt_register_device(). Thanks
On 10/18/22 4:41 AM, Leon Romanovsky wrote: > On Mon, Oct 17, 2022 at 05:26:52PM +0300, Natalia Petrova wrote: >> rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is >> dereferenced before that in rvt_free_all_qps(). >> >> Found by Linux Verification Center (linuxtesting.org) with SVACE. >> >> Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut >> down") > > Please never break fixes line. > >> Signed-off-by: Natalia Petrova <n.petrova@fintech.ru> >> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> >> --- >> drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++--- >> 1 file changed, 6 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c >> index 3acab569fbb9..06e755975f61 100644 >> --- a/drivers/infiniband/sw/rdmavt/qp.c >> +++ b/drivers/infiniband/sw/rdmavt/qp.c >> @@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi) >> */ >> void rvt_qp_exit(struct rvt_dev_info *rdi) >> { >> - u32 qps_inuse = rvt_free_all_qps(rdi); >> + u32 qps_inuse = 0; >> + >> + if (!rdi->qp_dev) >> + return; >> + >> + qps_inuse = rvt_free_all_qps(rdi); > > These lines are not needed. > >> >> if (qps_inuse) >> rvt_pr_err(rdi, "QP memory leak! %u still in use\n", >> qps_inuse); >> - if (!rdi->qp_dev) >> - return; > > It is enough to delete these two lines. At this stage, rdi->qp_dev always > exists as it was created in rvt_register_device(). > Agree with Leon here. qp_dev is created in rvt_register_device which will fail if the qp dev allocation fails in rvt_driver_qp_init(). -Denny
diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c index 3acab569fbb9..06e755975f61 100644 --- a/drivers/infiniband/sw/rdmavt/qp.c +++ b/drivers/infiniband/sw/rdmavt/qp.c @@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi) */ void rvt_qp_exit(struct rvt_dev_info *rdi) { - u32 qps_inuse = rvt_free_all_qps(rdi); + u32 qps_inuse = 0; + + if (!rdi->qp_dev) + return; + + qps_inuse = rvt_free_all_qps(rdi); if (qps_inuse) rvt_pr_err(rdi, "QP memory leak! %u still in use\n", qps_inuse); - if (!rdi->qp_dev) - return; kfree(rdi->qp_dev->qp_table); free_qpn_table(&rdi->qp_dev->qpn_table);