From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6816CC433E0 for ; Thu, 28 Jan 2021 04:24:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 141AE64DD1 for ; Thu, 28 Jan 2021 04:24:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229586AbhA1EYg (ORCPT ); Wed, 27 Jan 2021 23:24:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229578AbhA1EYf (ORCPT ); Wed, 27 Jan 2021 23:24:35 -0500 Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28693C061574 for ; Wed, 27 Jan 2021 20:23:55 -0800 (PST) Received: by mail-oi1-x22f.google.com with SMTP id i25so4690228oie.10 for ; Wed, 27 Jan 2021 20:23:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=OmmHs3g+/2GeU+HwJWdMZtb3QZmXSHkjQbWdfDE6A6k=; b=LJ0is2KnXV8LUS1mzIpjSs3sfUzzk8BbpYDUgbH+m1UNgy8ZyNJDy5WSzFRn629//g kkr85XsMSz4iR1iKyWA6BWrsBd/XUztNZhttreogmlwoxmc/8mXS68Sf4mTzosZ5huyP WblIDC4FosBhOnIYO3vl9e8fwkcyRzR8eE6lg174xRaa9+Bwlujus1XTnCU59LL7k+HH den9ZPBa07xaEZpH4XlHcu2WOqyXIxJLoxyodtK9Dv7vRNkMjCViab+EzYnHBQJAutcn b2eQ01SPdBymSldDb+h/8Om1qiHsrAs3soIY8PrDStjKNp1u59PUfq7tTV6FNu3muG9A EB1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=OmmHs3g+/2GeU+HwJWdMZtb3QZmXSHkjQbWdfDE6A6k=; b=nNTywwKTACuG8UAsa6H6R1neIVcu8Ib8XDYSW4p49kr+WmdBa0QHUxoEdL9GfbpNMH RCLAfv5S90HGXuJQUkI4qbMqPV/tOD4E2WqJVef5SroKyQAvE8GwSh3irjBUuV/hIs9t hgn565dOVB/TzZyrUURB45XMslvCPKyeYaPiJLGpe8fbGZv6a2MmMXoF3N5QzBYFT5C5 NlxVsjVGEQS6gd/1GHARbXreHfRwkxmJbNMlRjeOAK+WjE7EcWeiI1AjCmDcHUdtKpMX Gi9fVHUaoHNc3S0RALkmZHZrJd0YagkkMuhAF5f2k9dZgfOHriVFM32VvgioHMva60WX 7s9A== X-Gm-Message-State: AOAM531AyYXIzXaFGvQjNPwIESOexzURBGYja2t/R/qXTx3eh00bU1KG bhZjg42Did5X/z3HR9IzuNo= X-Google-Smtp-Source: ABdhPJxcYceg8LKkeHXZirnEb+wpsp4USyGp3O1xkwID6xziGPmXPabhpZLEXQbiceMmUUnegVbC3g== X-Received: by 2002:a05:6808:24a:: with SMTP id m10mr5543515oie.95.1611807834641; Wed, 27 Jan 2021 20:23:54 -0800 (PST) Received: from ?IPv6:2603:8081:140c:1a00:ed32:ab84:718a:cacc? (2603-8081-140c-1a00-ed32-ab84-718a-cacc.res6.spectrum.com. [2603:8081:140c:1a00:ed32:ab84:718a:cacc]) by smtp.gmail.com with ESMTPSA id n30sm805188otj.42.2021.01.27.20.23.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Jan 2021 20:23:54 -0800 (PST) Subject: Re: [PATCH for-next] RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt From: Bob Pearson To: Zhu Yanjun Cc: Jason Gunthorpe , RDMA mailing list , Bob Pearson References: <20210128011226.3096-1-rpearson@hpe.com> <643809c8-7740-7373-2975-cac9aeb4e111@gmail.com> Message-ID: Date: Wed, 27 Jan 2021 22:23:53 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: <643809c8-7740-7373-2975-cac9aeb4e111@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org On 1/27/21 9:53 PM, Bob Pearson wrote: > On 1/27/21 9:50 PM, Zhu Yanjun wrote: >> On Thu, Jan 28, 2021 at 9:12 AM Bob Pearson wrote: >>> >>> rxe_rcv_mcast_pkt() in rxe_recv.c can leak SKBs in error path >>> code. The loop over the QPs attached to a multicast group >>> creates new cloned SKBs for all but the last QP in the list >>> and passes the SKB and its clones to rxe_rcv_pkt() for further >>> processing. Any QPs that do not pass some checks are skipped. >>> If the last QP in the list fails the tests the SKB is leaked. >>> This patch checks if the SKB for the last QP was used and if >>> not frees it. Also removes a redundant loop invariant assignment. >>> >>> Fixes: 8700e3e7c4857 ("Soft RoCE driver") >>> Fixes: 71abf20b28ff8 ("RDMA/rxe: Handle skb_clone() failure in rxe_recv.c") >>> Signed-off-by: Bob Pearson >>> --- >>> drivers/infiniband/sw/rxe/rxe_recv.c | 18 +++++++++++------- >>> 1 file changed, 11 insertions(+), 7 deletions(-) >>> >>> diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c >>> index c9984a28eecc..57cc25e3b4ad 100644 >>> --- a/drivers/infiniband/sw/rxe/rxe_recv.c >>> +++ b/drivers/infiniband/sw/rxe/rxe_recv.c >>> @@ -252,7 +252,6 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) >>> >>> list_for_each_entry(mce, &mcg->qp_list, qp_list) { >>> qp = mce->qp; >>> - pkt = SKB_TO_PKT(skb); >>> >>> /* validate qp for incoming packet */ >>> err = check_type_state(rxe, pkt, qp); >>> @@ -264,12 +263,18 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) >>> continue; >>> >>> /* for all but the last qp create a new clone of the >>> - * skb and pass to the qp. >>> + * skb and pass to the qp. If an error occurs in the >>> + * checks for the last qp in the list we need to >>> + * free the skb since it hasn't been passed on to >>> + * rxe_rcv_pkt() which would free it later. >>> */ >>> - if (mce->qp_list.next != &mcg->qp_list) >>> + if (mce->qp_list.next != &mcg->qp_list) { >>> per_qp_skb = skb_clone(skb, GFP_ATOMIC); >>> - else >>> + } else { >>> per_qp_skb = skb; >>> + /* show we have consumed the skb */ >>> + skb = NULL; >>> + } >>> >>> if (unlikely(!per_qp_skb)) >>> continue; >>> @@ -284,10 +289,9 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) >>> >>> rxe_drop_ref(mcg); /* drop ref from rxe_pool_get_key. */ >>> >>> - return; >>> - >>> err1: >>> - kfree_skb(skb); >>> + if (skb) >>> + kfree_skb(skb); >> >> "if (skb)" is not needed here. >> >> The implemetation of kfree_skb: >> >> void kfree_skb(struct sk_buff *skb) >> { >> if (unlikely(!skb)) >> return; >> if (likely(atomic_read(&skb->users) == 1)) >> smp_rmb(); >> else if (likely(!atomic_dec_and_test(&skb->users))) >> return; >> trace_kfree_skb(skb, __builtin_return_address(0)); >> __kfree_skb(skb); >> } >> >> Zhu Yanjun >>> } >>> >>> /** >>> -- >>> 2.27.0 >>> > Agreed but the reason I wrote that was to make it obvious why I set skb to NULL above. But as long as it is clear without it I can remove the test. > Actually I should have written if (unlikely(skb)) kfree_skb(skb);