Re: [PATCH] RDMA/cxgb4: fix refcounting leak in c4iw_ref_send_wait()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 24, 2022 at 03:25:02PM +0300, Dan Carpenter wrote:
> Call c4iw_put_wr_wait() if c4iw_wait_for_reply() fails.  This
> code uses kobject so the worst impact from this bug is a DoS.
> 
> Fixes: 2015f26cfade ("iw_cxgb4: add referencing to wait objects")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> >From static analysis.  Not tested.
> 
>  drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)

Are you sure?  

Looking at the caller alloc_srq_queue() it calls down to
c4iw_ref_send_wait() then immediately exits on failure

The only caller c4iw_create_srq() 

	ret = alloc_srq_queue(srq, ucontext ? &ucontext->uctx :
			&rhp->rdev.uctx, srq->wr_waitp);
	if (ret)
		goto err_free_skb;

And then

err_free_skb:
	kfree_skb(srq->destroy_skb);
err_free_srq_idx:
	c4iw_free_srq_idx(&rhp->rdev, srq->idx);
err_free_wr_wait:
	c4iw_put_wr_wait(srq->wr_waitp);

So we just double put the thing with this patch

I have no idea how this logic is supposed to work, and clearly
something is buggy in here,  but I can't say this is right..

Jason



[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux