On Mon, Jan 24, 2022 at 03:25:02PM +0300, Dan Carpenter wrote:
> Call c4iw_put_wr_wait() if c4iw_wait_for_reply() fails. This
> code uses kobject so the worst impact from this bug is a DoS.
>
> Fixes: 2015f26cfade ("iw_cxgb4: add referencing to wait objects")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> >From static analysis. Not tested.
>
> drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
Are you sure?
Looking at the caller alloc_srq_queue() it calls down to
c4iw_ref_send_wait() then immediately exits on failure
The only caller c4iw_create_srq()
ret = alloc_srq_queue(srq, ucontext ? &ucontext->uctx :
&rhp->rdev.uctx, srq->wr_waitp);
if (ret)
goto err_free_skb;
And then
err_free_skb:
kfree_skb(srq->destroy_skb);
err_free_srq_idx:
c4iw_free_srq_idx(&rhp->rdev, srq->idx);
err_free_wr_wait:
c4iw_put_wr_wait(srq->wr_waitp);
So we just double put the thing with this patch
I have no idea how this logic is supposed to work, and clearly
something is buggy in here, but I can't say this is right..
Jason
