diff mbox series

[for-rc] IB/rdmavt: Free kernel completion queue when done

Message ID 20200313123957.14343.43879.stgit@awfm-01.aw.intel.com (mailing list archive)
State Mainlined
Commit 941224e09483ea3428ffc6402de56a4a2e2cb6da
Delegated to: Jason Gunthorpe
Headers show
Series [for-rc] IB/rdmavt: Free kernel completion queue when done | expand

Commit Message

Marciniszyn, Mike March 13, 2020, 12:39 p.m. UTC 
From: Kaike Wan <kaike.wan@intel.com>

When a kernel ULP requests the rdmavt to create a completion queue, it
allocated the queue and set cq->kqueue to point to it. However, when
the completion queue is destroyed, cq->queue is freed instead, leading
to memory leak:

https://marc.info/?l=linux-rdma&m=158344182614924&w=2

unreferenced object 0xffffc90006639000 (size 12288):
comm "kworker/u128:0", pid 8, jiffies 4295777598 (age 589.085s)
    hex dump (first 32 bytes):
      4d 00 00 00 4d 00 00 00 00 c0 08 ac 8b 88 ff ff  M...M...........
      00 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00  ................
    backtrace:
      [<0000000035a3d625>] __vmalloc_node_range+0x361/0x720
      [<000000002942ce4f>] __vmalloc_node.constprop.30+0x63/0xb0
      [<00000000f228f784>] rvt_create_cq+0x98a/0xd80 [rdmavt]
      [<00000000b84aec66>] __ib_alloc_cq_user+0x281/0x1260 [ib_core]
      [<00000000ef3764be>] nvme_rdma_cm_handler+0xdb7/0x1b80 [nvme_rdma]
      [<00000000936b401c>] cma_cm_event_handler+0xb7/0x550 [rdma_cm]
      [<00000000d9c40b7b>] addr_handler+0x195/0x310 [rdma_cm]
      [<00000000c7398a03>] process_one_req+0xdd/0x600 [ib_core]
      [<000000004d29675b>] process_one_work+0x920/0x1740
      [<00000000efedcdb5>] worker_thread+0x87/0xb40
      [<000000005688b340>] kthread+0x327/0x3f0
      [<0000000043a168d6>] ret_from_fork+0x3a/0x50

This patch fixes the issue by freeing cq->kqueue instead.

Fixes: 239b0e52d8aa ("IB/hfi1: Move rvt_cq_wc struct into uapi directory")
Cc: <stable@vger.kernel.org> # 5.4.x
Reported-by: Yi Zhang <yi.zhang@redhat.com>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Kaike Wan <kaike.wan@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
---
 drivers/infiniband/sw/rdmavt/cq.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jason Gunthorpe March 13, 2020, 2:33 p.m. UTC | #1 
On Fri, Mar 13, 2020 at 08:39:57AM -0400, Mike Marciniszyn wrote:
> From: Kaike Wan <kaike.wan@intel.com>
> 
> When a kernel ULP requests the rdmavt to create a completion queue, it
> allocated the queue and set cq->kqueue to point to it. However, when
> the completion queue is destroyed, cq->queue is freed instead, leading
> to memory leak:
> 
> https://marc.info/?l=linux-rdma&m=158344182614924&w=2

Please always use lore.kernel.org for links to emails, I fixed it.

> unreferenced object 0xffffc90006639000 (size 12288):
> comm "kworker/u128:0", pid 8, jiffies 4295777598 (age 589.085s)
>     hex dump (first 32 bytes):
>       4d 00 00 00 4d 00 00 00 00 c0 08 ac 8b 88 ff ff  M...M...........
>       00 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00  ................
>     backtrace:
>       [<0000000035a3d625>] __vmalloc_node_range+0x361/0x720
>       [<000000002942ce4f>] __vmalloc_node.constprop.30+0x63/0xb0
>       [<00000000f228f784>] rvt_create_cq+0x98a/0xd80 [rdmavt]
>       [<00000000b84aec66>] __ib_alloc_cq_user+0x281/0x1260 [ib_core]
>       [<00000000ef3764be>] nvme_rdma_cm_handler+0xdb7/0x1b80 [nvme_rdma]
>       [<00000000936b401c>] cma_cm_event_handler+0xb7/0x550 [rdma_cm]
>       [<00000000d9c40b7b>] addr_handler+0x195/0x310 [rdma_cm]
>       [<00000000c7398a03>] process_one_req+0xdd/0x600 [ib_core]
>       [<000000004d29675b>] process_one_work+0x920/0x1740
>       [<00000000efedcdb5>] worker_thread+0x87/0xb40
>       [<000000005688b340>] kthread+0x327/0x3f0
>       [<0000000043a168d6>] ret_from_fork+0x3a/0x50
> 
> This patch fixes the issue by freeing cq->kqueue instead.
> 
> Fixes: 239b0e52d8aa ("IB/hfi1: Move rvt_cq_wc struct into uapi directory")
> Cc: <stable@vger.kernel.org> # 5.4.x
> Reported-by: Yi Zhang <yi.zhang@redhat.com>
> Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
> Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
> Signed-off-by: Kaike Wan <kaike.wan@intel.com>
> Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
> --
>  drivers/infiniband/sw/rdmavt/cq.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied to for-rc

Thanks,
Jason
diff mbox series

Patch

diff --git a/drivers/infiniband/sw/rdmavt/cq.c b/drivers/infiniband/sw/rdmavt/cq.c
index 13d7f66..5724cbb 100644
--- a/drivers/infiniband/sw/rdmavt/cq.c
+++ b/drivers/infiniband/sw/rdmavt/cq.c
@@ -327,7 +327,7 @@  void rvt_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata)
 	if (cq->ip)
 		kref_put(&cq->ip->ref, rvt_release_mmap_info);
 	else
-		vfree(cq->queue);
+		vfree(cq->kqueue);
 }
 
 /**