Xiaoxu thanks for this fix, it's duplicated with https://lore.kernel.org/lkml/6a3ba62e-6116-7f09-b314-d6823671aaa9@xxxxxxxxxxx/T/ Thanks Zhijian On 18/11/2022 19:18, Zhang Xiaoxu wrote: > There is a double free when mount.cifs over rdma with MR allocate failed: > > BUG: KASAN: double-free in __rxe_cleanup+0x101/0x1d0 [rdma_rxe] > Free of addr ffff88817f8f0a20 by task mount.cifs/28201CPU: 1 PID: 28201 Comm: mount.cifs Not tainted 6.1.0-rc5+ #84 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 > Call Trace: > dump_stack_lvl+0x34/0x44 > print_report+0x171/0x472 > kasan_report_invalid_free+0x84/0xf0 > ____kasan_slab_free+0x166/0x1b0 > __kmem_cache_free+0xc8/0x330 > __rxe_cleanup+0x101/0x1d0 [rdma_rxe] > rxe_alloc_mr+0x88/0x90 [rdma_rxe] > ib_alloc_mr+0x5a/0x1d0 > _smbd_get_connection+0x1c0f/0x21a0 > smbd_get_connection+0x21/0x40 > cifs_get_tcp_session+0x8ef/0xda0 > mount_get_conns+0x60/0x750 > cifs_mount+0x103/0xd00 > cifs_smb3_do_mount+0x1dd/0xcb0 > smb3_get_tree+0x1d5/0x300 > vfs_get_tree+0x41/0xf0 > path_mount+0x9b3/0xdd0 > __x64_sys_mount+0x190/0x1d0 > do_syscall_64+0x35/0x80 > entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > Allocated by task 28201: > kasan_save_stack+0x1e/0x40 > kasan_set_track+0x21/0x30 > __kasan_kmalloc+0x7a/0x90 > __kmalloc+0x5f/0x150 > rxe_mr_alloc+0x5d/0x240 [rdma_rxe] > rxe_mr_init_fast+0xfd/0x180 [rdma_rxe] > rxe_alloc_mr+0x64/0x90 [rdma_rxe] > ib_alloc_mr+0x5a/0x1d0 > _smbd_get_connection+0x1c0f/0x21a0 > smbd_get_connection+0x21/0x40 > cifs_get_tcp_session+0x8ef/0xda0 > mount_get_conns+0x60/0x750 > cifs_mount+0x103/0xd00 > cifs_smb3_do_mount+0x1dd/0xcb0 > smb3_get_tree+0x1d5/0x300 > vfs_get_tree+0x41/0xf0 > path_mount+0x9b3/0xdd0 > __x64_sys_mount+0x190/0x1d0 > do_syscall_64+0x35/0x80 > entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > Freed by task 28201: > kasan_save_stack+0x1e/0x40 > kasan_set_track+0x21/0x30 > kasan_save_free_info+0x2a/0x40 > ____kasan_slab_free+0x143/0x1b0 > __kmem_cache_free+0xc8/0x330 > rxe_mr_alloc+0x16d/0x240 [rdma_rxe] > rxe_mr_init_fast+0xfd/0x180 [rdma_rxe] > rxe_alloc_mr+0x64/0x90 [rdma_rxe] > ib_alloc_mr+0x5a/0x1d0 > _smbd_get_connection+0x1c0f/0x21a0 > smbd_get_connection+0x21/0x40 > cifs_get_tcp_session+0x8ef/0xda0 > mount_get_conns+0x60/0x750 > cifs_mount+0x103/0xd00 > cifs_smb3_do_mount+0x1dd/0xcb0 > smb3_get_tree+0x1d5/0x300 > vfs_get_tree+0x41/0xf0 > path_mount+0x9b3/0xdd0 > __x64_sys_mount+0x190/0x1d0 > do_syscall_64+0x35/0x80 > entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > When allocate MR failed, the MRs and the array already freed, > but in the cleanup process, free them again. > > Let's set the MRs array to NULL when MRs allocate failed to > avoid cleanup process free them again. > > Fixes: 8700e3e7c485 ("Soft RoCE driver") > Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx> > --- > drivers/infiniband/sw/rxe/rxe_mr.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c > index 502e9ada99b3..82dd14654686 100644 > --- a/drivers/infiniband/sw/rxe/rxe_mr.c > +++ b/drivers/infiniband/sw/rxe/rxe_mr.c > @@ -99,6 +99,7 @@ static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf) > kfree(mr->map[i]); > > kfree(mr->map); > + mr->map = NULL; > err1: > return -ENOMEM; > }
