linux/drivers/infiniband/sw/rdmavt
Kaike Wan 941224e094 IB/rdmavt: Free kernel completion queue when done
When a kernel ULP requests the rdmavt to create a completion queue, it
allocated the queue and set cq->kqueue to point to it. However, when the
completion queue is destroyed, cq->queue is freed instead, leading to a
memory leak:

https://lore.kernel.org/r/215235485.15264050.1583334487658.JavaMail.zimbra@redhat.com

 unreferenced object 0xffffc90006639000 (size 12288):
 comm "kworker/u128:0", pid 8, jiffies 4295777598 (age 589.085s)
    hex dump (first 32 bytes):
      4d 00 00 00 4d 00 00 00 00 c0 08 ac 8b 88 ff ff  M...M...........
      00 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00  ................
    backtrace:
      [<0000000035a3d625>] __vmalloc_node_range+0x361/0x720
      [<000000002942ce4f>] __vmalloc_node.constprop.30+0x63/0xb0
      [<00000000f228f784>] rvt_create_cq+0x98a/0xd80 [rdmavt]
      [<00000000b84aec66>] __ib_alloc_cq_user+0x281/0x1260 [ib_core]
      [<00000000ef3764be>] nvme_rdma_cm_handler+0xdb7/0x1b80 [nvme_rdma]
      [<00000000936b401c>] cma_cm_event_handler+0xb7/0x550 [rdma_cm]
      [<00000000d9c40b7b>] addr_handler+0x195/0x310 [rdma_cm]
      [<00000000c7398a03>] process_one_req+0xdd/0x600 [ib_core]
      [<000000004d29675b>] process_one_work+0x920/0x1740
      [<00000000efedcdb5>] worker_thread+0x87/0xb40
      [<000000005688b340>] kthread+0x327/0x3f0
      [<0000000043a168d6>] ret_from_fork+0x3a/0x50

This patch fixes the issue by freeing cq->kqueue instead.

Fixes: 239b0e52d8 ("IB/hfi1: Move rvt_cq_wc struct into uapi directory")
Link: https://lore.kernel.org/r/20200313123957.14343.43879.stgit@awfm-01.aw.intel.com
Cc: <stable@vger.kernel.org> # 5.4.x
Reported-by: Yi Zhang <yi.zhang@redhat.com>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Kaike Wan <kaike.wan@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2020-03-13 11:29:59 -03:00
..
ah.c infiniband: fix sw/rdmavt/ kernel-doc notation 2019-10-22 14:52:56 -03:00
ah.h RDMA: Handle AH allocations by IB/core 2019-04-08 13:05:25 -03:00
cq.c IB/rdmavt: Free kernel completion queue when done 2020-03-13 11:29:59 -03:00
cq.h RDMA: Convert CQ allocations to be under core responsibility 2019-06-11 16:39:49 -04:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
mad.c RDMA: Mark if destroy address handle is in a sleepable context 2018-12-19 16:28:03 -07:00
mad.h
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
mcast.c
mcast.h
mmap.c IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00
mmap.h IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00
mr.c IB: Allow calls to ib_umem_get from kernel ULPs 2020-01-16 16:14:28 +02:00
mr.h IB: Pass uverbs_attr_bundle down ib_x destroy path 2019-04-01 14:57:35 -03:00
pd.c IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00
pd.h IB: Pass only ib_udata in function prototypes 2019-04-01 15:00:47 -03:00
qp.c IB/rdmavt: Reset all QPs when the device is shut down 2020-02-11 11:41:32 -04:00
qp.h IB/hfi1: Move receive work queue struct into uapi directory 2019-06-28 22:32:16 -03:00
rc.c IB/rdmavt: Correct comments in rdmavt_qp.h header 2020-01-03 16:44:50 -04:00
srq.c IB/rdmavt: Fracture single lock used for posting and processing RWQEs 2019-06-28 22:32:16 -03:00
srq.h RDMA: Handle SRQ allocations by IB/core 2019-04-08 13:05:25 -03:00
trace_cq.h IB/rdmavt: Add wc_flags and wc_immdata to cq entry trace 2019-01-18 13:48:19 -07:00
trace_mr.h IB/rdmavt: Add trace for map_mr_sg 2019-06-28 22:34:26 -03:00
trace_qp.h IB/rdmavt: Fix ab/ba include issues 2019-04-24 11:31:49 -03:00
trace_rc.h IB/rdmavt: Fix ab/ba include issues 2019-04-24 11:31:49 -03:00
trace_rvt.h
trace_tx.h IB/rdmavt: Fix ab/ba include issues 2019-04-24 11:31:49 -03:00
trace.c
trace.h
vt.c infiniband: fix sw/rdmavt/ kernel-doc notation 2019-10-22 14:52:56 -03:00
vt.h IB/{hfi1, qib, rdmavt}: Put qp in error state when cq is full 2019-06-28 22:34:26 -03:00