[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1669099673-12213-1-git-send-email-wangyufen@huawei.com>
Date: Tue, 22 Nov 2022 14:47:53 +0800
From: Wang Yufen <wangyufen@...wei.com>
To: <jgg@...pe.ca>, <leon@...nel.org>, <markzhang@...dia.com>,
<haakon.bugge@...cle.com>, <mbloch@...dia.com>
CC: <sean.hefty@...el.com>, <rolandd@...co.com>,
<linux-rdma@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
Wang Yufen <wangyufen@...wei.com>
Subject: [PATCH] infiniband: cma: fix the dev refcnt leak
Syzbot report the following issue:
infiniband syj1: RDMA CMA: cma_listen_on_dev, error -98
unregister_netdevice: waiting for vlan0 to become free. Usage count = 2
The causes are as follows:
rdma_listen()
rdma_bind_addr()
cma_acquire_dev_by_src_ip()
cma_attach_to_dev()
_cma_attach_to_dev()
cma_dev_get()
cma_check_port()
<--The return value is -98, goto err
err:
<-- The error handling here is missing the operation of cma_release_dev.
To fix, add cma_release_dev to error handing.
Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager")
Reported-by: syzbot+5e70d01ee8985ae62a3b@...kaller.appspotmail.com
Signed-off-by: Wang Yufen <wangyufen@...wei.com>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 26d1772..3a50a8e 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -4049,6 +4049,9 @@ int rdma_listen(struct rdma_cm_id *id, int backlog)
return 0;
err:
id_priv->backlog = 0;
+ if (id_priv->cma_dev)
+ cma_release_dev(id_priv);
+
/*
* All the failure paths that lead here will not allow the req_handler's
* to have run.
--
1.8.3.1
Powered by blists - more mailing lists