There is a double free when mount.cifs over rdma with MR allocate failed:
BUG: KASAN: double-free in __rxe_cleanup+0x101/0x1d0 [rdma_rxe]
Free of addr ffff88817f8f0a20 by task mount.cifs/28201CPU: 1 PID: 28201 Comm: mount.cifs Not tainted 6.1.0-rc5+ #84
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
dump_stack_lvl+0x34/0x44
print_report+0x171/0x472
kasan_report_invalid_free+0x84/0xf0
____kasan_slab_free+0x166/0x1b0
__kmem_cache_free+0xc8/0x330
__rxe_cleanup+0x101/0x1d0 [rdma_rxe]
rxe_alloc_mr+0x88/0x90 [rdma_rxe]
ib_alloc_mr+0x5a/0x1d0
_smbd_get_connection+0x1c0f/0x21a0
smbd_get_connection+0x21/0x40
cifs_get_tcp_session+0x8ef/0xda0
mount_get_conns+0x60/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Allocated by task 28201:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasan_kmalloc+0x7a/0x90
__kmalloc+0x5f/0x150
rxe_mr_alloc+0x5d/0x240 [rdma_rxe]
rxe_mr_init_fast+0xfd/0x180 [rdma_rxe]
rxe_alloc_mr+0x64/0x90 [rdma_rxe]
ib_alloc_mr+0x5a/0x1d0
_smbd_get_connection+0x1c0f/0x21a0
smbd_get_connection+0x21/0x40
cifs_get_tcp_session+0x8ef/0xda0
mount_get_conns+0x60/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 28201:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x40
____kasan_slab_free+0x143/0x1b0
__kmem_cache_free+0xc8/0x330
rxe_mr_alloc+0x16d/0x240 [rdma_rxe]
rxe_mr_init_fast+0xfd/0x180 [rdma_rxe]
rxe_alloc_mr+0x64/0x90 [rdma_rxe]
ib_alloc_mr+0x5a/0x1d0
_smbd_get_connection+0x1c0f/0x21a0
smbd_get_connection+0x21/0x40
cifs_get_tcp_session+0x8ef/0xda0
mount_get_conns+0x60/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
When allocate MR failed, the MRs and the array already freed,
but in the cleanup process, free them again.
Let's set the MRs array to NULL when MRs allocate failed to
avoid cleanup process free them again.
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
---
drivers/infiniband/sw/rxe/rxe_mr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
index 502e9ada99b3..82dd14654686 100644
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
@@ -99,6 +99,7 @@ static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf)
kfree(mr->map[i]);
kfree(mr->map);
+ mr->map = NULL;
err1:
return -ENOMEM;
}
--
2.31.1
