| Message ID | 20230517211509.1819998-1-rpearsonhpe@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | [for-next] RDMA/rxe: Fix ref count error in check_rkey() | expand |
On Wed, May 17, 2023 at 04:15:10PM -0500, Bob Pearson wrote: > There is a reference count error in error path code and a > potential race in check_rkey() in rxe_resp.c. When looking > up the rkey for a memory window the reference to the mw from > rxe_lookup_mw() is dropped before a reference is taken on the > mr referenced by the mw. If the mr is destroyed immediately > after the call to rxe_put(mw) the mr pointer is unprotected > and may end up pointing at freed memory. The rxe_get(mr) call > should take place before the rxe_put(mw) call. > > All errors in check_rkey() call rxe_put(mw) if mw is not NULL > but it was already called after the above. The mw pointer > should be set to NULL after the rxe_put(mw) call to prevent > this from happening. > > This patch corrects these errors. > > Fixes: cdd0b85675ae ("RDMA/rxe: Implement memory access through MWs") > Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com> > --- > drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Applied to for-rc, thanks Jason
On 6/1/23 12:33, Jason Gunthorpe wrote: > On Wed, May 17, 2023 at 04:15:10PM -0500, Bob Pearson wrote: >> There is a reference count error in error path code and a >> potential race in check_rkey() in rxe_resp.c. When looking >> up the rkey for a memory window the reference to the mw from >> rxe_lookup_mw() is dropped before a reference is taken on the >> mr referenced by the mw. If the mr is destroyed immediately >> after the call to rxe_put(mw) the mr pointer is unprotected >> and may end up pointing at freed memory. The rxe_get(mr) call >> should take place before the rxe_put(mw) call. >> >> All errors in check_rkey() call rxe_put(mw) if mw is not NULL >> but it was already called after the above. The mw pointer >> should be set to NULL after the rxe_put(mw) call to prevent >> this from happening. >> >> This patch corrects these errors. >> >> Fixes: cdd0b85675ae ("RDMA/rxe: Implement memory access through MWs") >> Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com> >> --- >> drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) > > Applied to for-rc, thanks > > Jason thanks
diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c index 68f6cd188d8e..5d8d336c402d 100644 --- a/drivers/infiniband/sw/rxe/rxe_resp.c +++ b/drivers/infiniband/sw/rxe/rxe_resp.c @@ -489,8 +489,9 @@ static enum resp_states check_rkey(struct rxe_qp *qp, if (mw->access & IB_ZERO_BASED) qp->resp.offset = mw->addr; - rxe_put(mw); rxe_get(mr); + rxe_put(mw); + mw = NULL; } else { mr = lookup_mr(qp->pd, access, rkey, RXE_LOOKUP_REMOTE); if (!mr) {
There is a reference count error in error path code and a potential race in check_rkey() in rxe_resp.c. When looking up the rkey for a memory window the reference to the mw from rxe_lookup_mw() is dropped before a reference is taken on the mr referenced by the mw. If the mr is destroyed immediately after the call to rxe_put(mw) the mr pointer is unprotected and may end up pointing at freed memory. The rxe_get(mr) call should take place before the rxe_put(mw) call. All errors in check_rkey() call rxe_put(mw) if mw is not NULL but it was already called after the above. The mw pointer should be set to NULL after the rxe_put(mw) call to prevent this from happening. This patch corrects these errors. Fixes: cdd0b85675ae ("RDMA/rxe: Implement memory access through MWs") Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com> --- drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)