RDMA: Check umem pointer validity prior to release
Update ib_umem_release() to behave similarly to kfree() and allow
submitting NULL pointer as safe input to this function.
Fixes: a52c8e2469 ("RDMA: Clean destroy CQ in drivers do not return errors")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
This commit is contained in:
Leon Romanovsky
committed by
Doug Ledford
Doug Ledford
parent
89a6da3cb8
commit
836a0fbb3e
@@ -1125,11 +1125,6 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void un_resize_user(struct mlx5_ib_cq *cq)
|
||||
{
|
||||
ib_umem_release(cq->resize_umem);
|
||||
}
|
||||
|
||||
static int resize_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
|
||||
int entries, int cqe_size)
|
||||
{
|
||||
@@ -1152,12 +1147,6 @@ ex:
|
||||
return err;
|
||||
}
|
||||
|
||||
static void un_resize_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq)
|
||||
{
|
||||
free_cq_buf(dev, cq->resize_buf);
|
||||
cq->resize_buf = NULL;
|
||||
}
|
||||
|
||||
static int copy_resize_cqes(struct mlx5_ib_cq *cq)
|
||||
{
|
||||
struct mlx5_ib_dev *dev = to_mdev(cq->ibcq.device);
|
||||
@@ -1338,10 +1327,11 @@ ex_alloc:
|
||||
kvfree(in);
|
||||
|
||||
ex_resize:
|
||||
if (udata)
|
||||
un_resize_user(cq);
|
||||
else
|
||||
un_resize_kernel(dev, cq);
|
||||
ib_umem_release(cq->resize_umem);
|
||||
if (!udata) {
|
||||
free_cq_buf(dev, cq->resize_buf);
|
||||
cq->resize_buf = NULL;
|
||||
}
|
||||
ex:
|
||||
mutex_unlock(&cq->resize_mutex);
|
||||
return err;
|
||||
|
||||
@@ -1507,10 +1507,9 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *ib_mr, int flags, u64 start,
|
||||
return 0;
|
||||
|
||||
err:
|
||||
if (mr->umem) {
|
||||
ib_umem_release(mr->umem);
|
||||
mr->umem = NULL;
|
||||
}
|
||||
ib_umem_release(mr->umem);
|
||||
mr->umem = NULL;
|
||||
|
||||
clean_mr(dev, mr);
|
||||
return err;
|
||||
}
|
||||
@@ -1630,10 +1629,10 @@ static void dereg_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr)
|
||||
* remove the DMA mapping.
|
||||
*/
|
||||
mlx5_mr_cache_free(dev, mr);
|
||||
if (umem) {
|
||||
ib_umem_release(umem);
|
||||
ib_umem_release(umem);
|
||||
if (umem)
|
||||
atomic_sub(npages, &dev->mdev->priv.reg_pages);
|
||||
}
|
||||
|
||||
if (!mr->allocated_from_cache)
|
||||
kfree(mr);
|
||||
}
|
||||
|
||||
@@ -790,8 +790,7 @@ static void destroy_user_rq(struct mlx5_ib_dev *dev, struct ib_pd *pd,
|
||||
atomic_dec(&dev->delay_drop.rqs_cnt);
|
||||
|
||||
mlx5_ib_db_unmap_user(context, &rwq->db);
|
||||
if (rwq->umem)
|
||||
ib_umem_release(rwq->umem);
|
||||
ib_umem_release(rwq->umem);
|
||||
}
|
||||
|
||||
static int create_user_rq(struct mlx5_ib_dev *dev, struct ib_pd *pd,
|
||||
@@ -977,8 +976,7 @@ err_free:
|
||||
kvfree(*in);
|
||||
|
||||
err_umem:
|
||||
if (ubuffer->umem)
|
||||
ib_umem_release(ubuffer->umem);
|
||||
ib_umem_release(ubuffer->umem);
|
||||
|
||||
err_bfreg:
|
||||
if (bfregn != MLX5_IB_INVALID_BFREG)
|
||||
@@ -997,8 +995,7 @@ static void destroy_qp_user(struct mlx5_ib_dev *dev, struct ib_pd *pd,
|
||||
ibucontext);
|
||||
|
||||
mlx5_ib_db_unmap_user(context, &qp->db);
|
||||
if (base->ubuffer.umem)
|
||||
ib_umem_release(base->ubuffer.umem);
|
||||
ib_umem_release(base->ubuffer.umem);
|
||||
|
||||
/*
|
||||
* Free only the BFREGs which are handled by the kernel.
|
||||
|
||||
Reference in New Issue
Block a user