From patchwork Tue Jun  6 15:02:44 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Marciniszyn, Mike" <mike.marciniszyn@intel.com>
X-Patchwork-Id: 9769079
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	036FD6035D for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue,  6 Jun 2017 15:02:56 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB1762679B
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue,  6 Jun 2017 15:02:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DFC8E28481; Tue,  6 Jun 2017 15:02:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C6772679B
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Tue,  6 Jun 2017 15:02:55 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751823AbdFFPCr (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Tue, 6 Jun 2017 11:02:47 -0400
Received: from mga04.intel.com ([192.55.52.120]:15003 "EHLO mga04.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751822AbdFFPCq (ORCPT <rfc822;linux-rdma@vger.kernel.org>);
	Tue, 6 Jun 2017 11:02:46 -0400
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
	by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	06 Jun 2017 08:02:45 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.39,306,1493708400"; d="scan'208";a="865121881"
Received: from sedona.ch.intel.com ([143.182.228.65])
	by FMSMGA003.fm.intel.com with ESMTP; 06 Jun 2017 08:02:45 -0700
Received: from phlsvsles11.ph.intel.com (phlsvsles11.ph.intel.com
	[10.228.195.43])
	by sedona.ch.intel.com (8.13.6/8.14.3/Standard MailSET/Hub) with
	ESMTP id v56F2iGH016399; Tue, 6 Jun 2017 08:02:45 -0700
Received: from phlsvslse11.ph.intel.com (localhost [127.0.0.1])
	by phlsvsles11.ph.intel.com with ESMTP id v56F2ihE014689;
	Tue, 6 Jun 2017 11:02:44 -0400
Subject: [PATCH] RDMA/qib: Fix MR reference count leak on write with
	immediate
To: stable@vger.kernel.org
From: Mike Marciniszyn <mike.marciniszyn@intel.com>
Cc: linux-rdma@vger.kernel.org, stable-commits@vger.kernel.org
Date: Tue, 06 Jun 2017 11:02:44 -0400
Message-ID: <20170606150244.14663.71707.stgit@phlsvslse11.ph.intel.com>
User-Agent: StGit/0.16
MIME-Version: 1.0
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

commit 1feb40067cf04ae48d65f728d62ca255c9449178 upstream.

The handling of IB_RDMA_WRITE_ONLY_WITH_IMMEDIATE will leak a memory
reference when a buffer cannot be allocated for returning the immediate
data.

The issue is that the rkey validation has already occurred and the RNR
nak fails to release the reference that was fruitlessly gotten.  The
the peer will send the identical single packet request when its RNR
timer pops.

The fix is to release the held reference prior to the rnr nak exit.
This is the only sequence the requires both rkey validation and the
buffer allocation on the same packet.

[This backports the fix for pre-rdmavt based qib drivers]

Cc: <stable@vger.kernel.org> # 3.10.x,3.16.x,4.1.x,4.4.x
Tested-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
 drivers/infiniband/hw/qib/qib_rc.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/infiniband/hw/qib/qib_rc.c b/drivers/infiniband/hw/qib/qib_rc.c
index e6b7556..cbc4216 100644
--- a/drivers/infiniband/hw/qib/qib_rc.c
+++ b/drivers/infiniband/hw/qib/qib_rc.c
@@ -2088,8 +2088,10 @@ send_last:
 		ret = qib_get_rwqe(qp, 1);
 		if (ret < 0)
 			goto nack_op_err;
-		if (!ret)
+		if (!ret) {
+			qib_put_ss(&qp->r_sge);
 			goto rnr_nak;
+		}
 		wc.ex.imm_data = ohdr->u.rc.imm_data;
 		hdrsize += 4;
 		wc.wc_flags = IB_WC_WITH_IMM;