On Tue, Dec 11, 2018 at 06:47:43PM +0200, Yuval Shaia wrote: > On Tue, Dec 11, 2018 at 06:56:41PM +0530, P J P wrote: > > From: Prasad J Pandit <p...@fedoraproject.org> > > > > create_cq and create_qp routines allocate ring object, but it's > > not released in case of an error, leading to memory leakage. > > > > Reported-by: Li Qiang <liq...@163.com> > > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > > --- > > hw/rdma/vmw/pvrdma_cmd.c | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > > index ee2888259c..e8d99f29fa 100644 > > --- a/hw/rdma/vmw/pvrdma_cmd.c > > +++ b/hw/rdma/vmw/pvrdma_cmd.c > > @@ -337,7 +337,9 @@ static int create_cq(PVRDMADev *dev, union > > pvrdma_cmd_req *req, > > > > resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, > > cmd->cqe, &resp->cq_handle, ring); > > - resp->cqe = cmd->cqe; > > + if (resp->hdr.err) { > > + g_free(ring); > > This is not enough since all ring's resources (ring state and ring's pages) > left mapped. > > The steps needed are the steps detailed in destroy_cq. > > > + } > > > > out: > > pr_dbg("ret=%d\n", resp->hdr.err); > > @@ -490,6 +492,10 @@ static int create_qp(PVRDMADev *dev, union > > pvrdma_cmd_req *req, > > cmd->max_send_sge, > > cmd->send_cq_handle, > > cmd->max_recv_wr, cmd->max_recv_sge, > > cmd->recv_cq_handle, rings, > > &resp->qpn); > > + if (resp->hdr.err) { > > + g_free(rings); > > Ditto, here send rind and recv rings stays mapped. > Look at how QP's ring is destroyed in destroy_qp. > > For both case suggesting to define a new static function that destroy rings > and call it from both error flow of create_* and from destroy_* > > > + goto out; > > + } > > > > resp->max_send_wr = cmd->max_send_wr; > > resp->max_recv_wr = cmd->max_recv_wr;
Also, can you rebase this patch on top of the patchset i posted last week: https://patchwork.kernel.org/patch/10705439/ Thanks, > > -- > > 2.19.2 > >