From: Prasad J Pandit <pjp@fedoraproject.org>
create_cq and create_qp routines allocate ring object, but it's
not released in case of an error, leading to memory leakage.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/rdma/vmw/pvrdma_cmd.c | 36 +++++++++++++++++++++++++-----------
1 file changed, 25 insertions(+), 11 deletions(-)
Update v1: define new function to free PvrdmaRing object
-> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02328.html
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index e37fb18280..7e29607d2f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -313,6 +313,14 @@ out:
return rc;
}
+static void destroy_cq_ring(PvrdmaRing *ring)
+{
+ pvrdma_ring_free(ring);
+ /* ring_state was in slot 1, not 0 so need to jump back */
+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
+ g_free(ring);
+}
+
static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
@@ -335,6 +343,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
rc = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, cmd->cqe,
&resp->cq_handle, ring);
+ if (rc) {
+ destroy_cq_ring(ring);
+ }
return rc;
}
@@ -355,10 +366,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
}
ring = (PvrdmaRing *)cq->opaque;
- pvrdma_ring_free(ring);
- /* ring_state was in slot 1, not 0 so need to jump back */
- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
- g_free(ring);
+ destroy_cq_ring(ring);
rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
@@ -456,6 +464,17 @@ out:
return rc;
}
+static void destroy_qp_rings(PvrdmaRing *ring)
+{
+ pr_dbg("sring=%p\n", &ring[0]);
+ pvrdma_ring_free(&ring[0]);
+ pr_dbg("rring=%p\n", &ring[1]);
+ pvrdma_ring_free(&ring[1]);
+
+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
+ g_free(ring);
+}
+
static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
@@ -485,6 +504,7 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
cmd->max_recv_sge, cmd->recv_cq_handle, rings,
&resp->qpn);
if (rc) {
+ destroy_qp_rings(rings);
return rc;
}
@@ -557,13 +577,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
ring = (PvrdmaRing *)qp->opaque;
- pr_dbg("sring=%p\n", &ring[0]);
- pvrdma_ring_free(&ring[0]);
- pr_dbg("rring=%p\n", &ring[1]);
- pvrdma_ring_free(&ring[1]);
-
- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
- g_free(ring);
+ destroy_qp_rings(ring);
return 0;
}
--
2.19.2
On Wed, Dec 12, 2018 at 05:17:24PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> create_cq and create_qp routines allocate ring object, but it's
> not released in case of an error, leading to memory leakage.
>
> Reported-by: Li Qiang <liq3ea@163.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/rdma/vmw/pvrdma_cmd.c | 36 +++++++++++++++++++++++++-----------
> 1 file changed, 25 insertions(+), 11 deletions(-)
>
> Update v1: define new function to free PvrdmaRing object
> -> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02328.html
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index e37fb18280..7e29607d2f 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -313,6 +313,14 @@ out:
> return rc;
> }
>
> +static void destroy_cq_ring(PvrdmaRing *ring)
> +{
> + pvrdma_ring_free(ring);
> + /* ring_state was in slot 1, not 0 so need to jump back */
> + rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
> + g_free(ring);
> +}
> +
> static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
> union pvrdma_cmd_resp *rsp)
> {
> @@ -335,6 +343,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
>
> rc = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, cmd->cqe,
> &resp->cq_handle, ring);
> + if (rc) {
> + destroy_cq_ring(ring);
> + }
>
> return rc;
> }
> @@ -355,10 +366,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
> }
>
> ring = (PvrdmaRing *)cq->opaque;
> - pvrdma_ring_free(ring);
> - /* ring_state was in slot 1, not 0 so need to jump back */
> - rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
> - g_free(ring);
> + destroy_cq_ring(ring);
>
> rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
>
> @@ -456,6 +464,17 @@ out:
> return rc;
> }
>
> +static void destroy_qp_rings(PvrdmaRing *ring)
> +{
> + pr_dbg("sring=%p\n", &ring[0]);
> + pvrdma_ring_free(&ring[0]);
> + pr_dbg("rring=%p\n", &ring[1]);
> + pvrdma_ring_free(&ring[1]);
> +
> + rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
> + g_free(ring);
> +}
> +
> static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
> union pvrdma_cmd_resp *rsp)
> {
> @@ -485,6 +504,7 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
> cmd->max_recv_sge, cmd->recv_cq_handle, rings,
> &resp->qpn);
> if (rc) {
> + destroy_qp_rings(rings);
> return rc;
> }
>
> @@ -557,13 +577,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
> rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
>
> ring = (PvrdmaRing *)qp->opaque;
> - pr_dbg("sring=%p\n", &ring[0]);
> - pvrdma_ring_free(&ring[0]);
> - pr_dbg("rring=%p\n", &ring[1]);
> - pvrdma_ring_free(&ring[1]);
> -
> - rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
> - g_free(ring);
> + destroy_qp_rings(ring);
>
Thanks.
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
> return 0;
> }
> --
> 2.19.2
>
© 2016 - 2025 Red Hat, Inc.