On Tue, Dec 11, 2018 at 06:47:43PM +0200, Yuval Shaia wrote:
> On Tue, Dec 11, 2018 at 06:56:41PM +0530, P J P wrote:
> > From: Prasad J Pandit <p...@fedoraproject.org>
> >
> > create_cq and create_qp routines allocate ring object, but it's
> > not released in case of an error, leading to memory leakage.
> >
> > Reported-by: Li Qiang <liq...@163.com>
> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> > ---
> > hw/rdma/vmw/pvrdma_cmd.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> > index ee2888259c..e8d99f29fa 100644
> > --- a/hw/rdma/vmw/pvrdma_cmd.c
> > +++ b/hw/rdma/vmw/pvrdma_cmd.c
> > @@ -337,7 +337,9 @@ static int create_cq(PVRDMADev *dev, union
> > pvrdma_cmd_req *req,
> >
> > resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
> > cmd->cqe, &resp->cq_handle, ring);
> > - resp->cqe = cmd->cqe;
> > + if (resp->hdr.err) {
> > + g_free(ring);
>
> This is not enough since all ring's resources (ring state and ring's pages)
> left mapped.
>
> The steps needed are the steps detailed in destroy_cq.
>
> > + }
> >
> > out:
> > pr_dbg("ret=%d\n", resp->hdr.err);
> > @@ -490,6 +492,10 @@ static int create_qp(PVRDMADev *dev, union
> > pvrdma_cmd_req *req,
> > cmd->max_send_sge,
> > cmd->send_cq_handle,
> > cmd->max_recv_wr, cmd->max_recv_sge,
> > cmd->recv_cq_handle, rings,
> > &resp->qpn);
> > + if (resp->hdr.err) {
> > + g_free(rings);
>
> Ditto, here send rind and recv rings stays mapped.
> Look at how QP's ring is destroyed in destroy_qp.
>
> For both case suggesting to define a new static function that destroy rings
> and call it from both error flow of create_* and from destroy_*
>
> > + goto out;
> > + }
> >
> > resp->max_send_wr = cmd->max_send_wr;
> > resp->max_recv_wr = cmd->max_recv_wr;
Also, can you rebase this patch on top of the patchset i posted last week:
https://patchwork.kernel.org/patch/10705439/
Thanks,
> > --
> > 2.19.2
> >
