tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE

In `UVERBS_METHOD_CQ_CREATE`, umem should be released if anything goes
wrong. Currently, if `create_cq_umem` fails, umem would not be
released or referenced, causing a possible leak.

In this patch, we release umem at `UVERBS_METHOD_CQ_CREATE`, the driver
should not release umem if it returns an error code.

Fixes: 1a40c362ae26 ("RDMA/uverbs: Add a common way to create CQ with umem")
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Link: https://patch.msgid.link/aOh1le4YqtYwj-hH@osx.local
Signed-off-by: Leon Romanovsky <leon@kernel.org>

authored by

Shuhao Fu and committed by
Leon Romanovsky d8713158 5575b764

+8 -9
+1
drivers/infiniband/core/uverbs_std_types_cq.c
··· 206 206 return ret; 207 207 208 208 err_free: 209 + ib_umem_release(umem); 209 210 rdma_restrack_put(&cq->res); 210 211 kfree(cq); 211 212 err_event_file:
+7 -9
drivers/infiniband/hw/efa/efa_verbs.c
··· 1216 1216 if (umem->length < cq->size) { 1217 1217 ibdev_dbg(&dev->ibdev, "External memory too small\n"); 1218 1218 err = -EINVAL; 1219 - goto err_free_mem; 1219 + goto err_out; 1220 1220 } 1221 1221 1222 1222 if (!ib_umem_is_contiguous(umem)) { 1223 1223 ibdev_dbg(&dev->ibdev, "Non contiguous CQ unsupported\n"); 1224 1224 err = -EINVAL; 1225 - goto err_free_mem; 1225 + goto err_out; 1226 1226 } 1227 1227 1228 1228 cq->cpu_addr = NULL; ··· 1251 1251 1252 1252 err = efa_com_create_cq(&dev->edev, &params, &result); 1253 1253 if (err) 1254 - goto err_free_mem; 1254 + goto err_free_mapped; 1255 1255 1256 1256 resp.db_off = result.db_off; 1257 1257 resp.cq_idx = result.cq_idx; ··· 1299 1299 efa_cq_user_mmap_entries_remove(cq); 1300 1300 err_destroy_cq: 1301 1301 efa_destroy_cq_idx(dev, cq->cq_idx); 1302 - err_free_mem: 1303 - if (umem) 1304 - ib_umem_release(umem); 1305 - else 1306 - efa_free_mapped(dev, cq->cpu_addr, cq->dma_addr, cq->size, DMA_FROM_DEVICE); 1307 - 1302 + err_free_mapped: 1303 + if (!umem) 1304 + efa_free_mapped(dev, cq->cpu_addr, cq->dma_addr, cq->size, 1305 + DMA_FROM_DEVICE); 1308 1306 err_out: 1309 1307 atomic64_inc(&dev->stats.create_cq_err); 1310 1308 return err;