[1/1] RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup

Commit Message

Zhu Yanjun July 5, 2022, 1:22 a.m. UTC

From: Zhu Yanjun <yanjun.zhu@linux.dev>

In some error handlers, both scq and rcq are set to NULL before
calling rxe_qp_do_cleanup.

Fixes: 4703b4f0d94a ("RDMA/rxe: Enforce IBA C11-17")
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
---
 drivers/infiniband/sw/rxe/rxe_qp.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Comments

Jason Gunthorpe July 4, 2022, 12:54 p.m. UTC | #1

On Mon, Jul 04, 2022 at 09:22:12PM -0400, yanjun.zhu@linux.dev wrote:
> From: Zhu Yanjun <yanjun.zhu@linux.dev>
> 
> In some error handlers, both scq and rcq are set to NULL before
> calling rxe_qp_do_cleanup.

Describe the error flows in the commit message please

Jason

Zhu Yanjun July 4, 2022, 2:21 p.m. UTC | #2

在 2022/7/4 20:54, Jason Gunthorpe 写道:
> On Mon, Jul 04, 2022 at 09:22:12PM -0400, yanjun.zhu@linux.dev wrote:
>> From: Zhu Yanjun <yanjun.zhu@linux.dev>
>>
>> In some error handlers, both scq and rcq are set to NULL before
>> calling rxe_qp_do_cleanup.
> Describe the error flows in the commit message please

Got it. I will send the latest commit very soon.

Zhu Yanjun

>
> Jason

Patch

diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index 22e9b85344c3..b79e1b43454e 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -804,13 +804,15 @@  static void rxe_qp_do_cleanup(struct work_struct *work)
 	if (qp->rq.queue)
 		rxe_queue_cleanup(qp->rq.queue);
 
-	atomic_dec(&qp->scq->num_wq);
-	if (qp->scq)
+	if (qp->scq) {
+		atomic_dec(&qp->scq->num_wq);
 		rxe_put(qp->scq);
+	}
 
-	atomic_dec(&qp->rcq->num_wq);
-	if (qp->rcq)
+	if (qp->rcq) {
+		atomic_dec(&qp->rcq->num_wq);
 		rxe_put(qp->rcq);
+	}
 
 	if (qp->pd)
 		rxe_put(qp->pd);