IB/rxe: Fix a MR reference leak in check_rkey()
authorBart Van Assche <bart.vanassche@sandisk.com>
Tue, 10 Jan 2017 19:15:51 +0000 (11:15 -0800)
committerDoug Ledford <dledford@redhat.com>
Tue, 10 Jan 2017 21:52:47 +0000 (16:52 -0500)
Avoid that calling check_rkey() for mem->state == RXE_MEM_STATE_FREE
triggers an MR reference leak.

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Andrew Boyer <andrew.boyer@dell.com>
Cc: Moni Shoua <monis@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/sw/rxe/rxe_resp.c

index 33defad..60d78f4 100644 (file)
@@ -418,7 +418,7 @@ static enum resp_states check_length(struct rxe_qp *qp,
 static enum resp_states check_rkey(struct rxe_qp *qp,
                                   struct rxe_pkt_info *pkt)
 {
-       struct rxe_mem *mem;
+       struct rxe_mem *mem = NULL;
        u64 va;
        u32 rkey;
        u32 resid;
@@ -459,38 +459,38 @@ static enum resp_states check_rkey(struct rxe_qp *qp,
        mem = lookup_mem(qp->pd, access, rkey, lookup_remote);
        if (!mem) {
                state = RESPST_ERR_RKEY_VIOLATION;
-               goto err1;
+               goto err;
        }
 
        if (unlikely(mem->state == RXE_MEM_STATE_FREE)) {
                state = RESPST_ERR_RKEY_VIOLATION;
-               goto err1;
+               goto err;
        }
 
        if (mem_check_range(mem, va, resid)) {
                state = RESPST_ERR_RKEY_VIOLATION;
-               goto err2;
+               goto err;
        }
 
        if (pkt->mask & RXE_WRITE_MASK)  {
                if (resid > mtu) {
                        if (pktlen != mtu || bth_pad(pkt)) {
                                state = RESPST_ERR_LENGTH;
-                               goto err2;
+                               goto err;
                        }
 
                        resid = mtu;
                } else {
                        if (pktlen != resid) {
                                state = RESPST_ERR_LENGTH;
-                               goto err2;
+                               goto err;
                        }
                        if ((bth_pad(pkt) != (0x3 & (-resid)))) {
                                /* This case may not be exactly that
                                 * but nothing else fits.
                                 */
                                state = RESPST_ERR_LENGTH;
-                               goto err2;
+                               goto err;
                        }
                }
        }
@@ -500,9 +500,9 @@ static enum resp_states check_rkey(struct rxe_qp *qp,
        qp->resp.mr = mem;
        return RESPST_EXECUTE;
 
-err2:
-       rxe_drop_ref(mem);
-err1:
+err:
+       if (mem)
+               rxe_drop_ref(mem);
        return state;
 }