From patchwork Mon Oct 17 14:26:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Natalia Petrova X-Patchwork-Id: 13008901 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4B5DC4332F for ; Mon, 17 Oct 2022 14:28:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230041AbiJQO2C (ORCPT ); Mon, 17 Oct 2022 10:28:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229738AbiJQO2B (ORCPT ); Mon, 17 Oct 2022 10:28:01 -0400 X-Greylist: delayed 62 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 17 Oct 2022 07:27:59 PDT Received: from exchange.fintech.ru (e10edge.fintech.ru [195.54.195.159]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37A9E6581A; Mon, 17 Oct 2022 07:27:59 -0700 (PDT) Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Mon, 17 Oct 2022 17:26:54 +0300 Received: from KANASHIN1.fintech.ru (10.0.253.125) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 17 Oct 2022 17:26:53 +0300 From: Natalia Petrova To: Dennis Dalessandro , "Jason Gunthorpe" , Leon Romanovsky CC: Natalia Petrova , , , , "Alexey Khoroshilov" Subject: [PATCH] rdmavt: avoid NULL pointer dereference in rvt_qp_exit() Date: Mon, 17 Oct 2022 17:26:52 +0300 Message-ID: <20221017142652.13906-1-n.petrova@fintech.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Originating-IP: [10.0.253.125] X-ClientProxiedBy: Ex16-01.fintech.ru (10.0.10.18) To Ex16-01.fintech.ru (10.0.10.18) Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is dereferenced before that in rvt_free_all_qps(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut down") Signed-off-by: Natalia Petrova Signed-off-by: Alexey Khoroshilov --- drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c index 3acab569fbb9..06e755975f61 100644 --- a/drivers/infiniband/sw/rdmavt/qp.c +++ b/drivers/infiniband/sw/rdmavt/qp.c @@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi) */ void rvt_qp_exit(struct rvt_dev_info *rdi) { - u32 qps_inuse = rvt_free_all_qps(rdi); + u32 qps_inuse = 0; + + if (!rdi->qp_dev) + return; + + qps_inuse = rvt_free_all_qps(rdi); if (qps_inuse) rvt_pr_err(rdi, "QP memory leak! %u still in use\n", qps_inuse); - if (!rdi->qp_dev) - return; kfree(rdi->qp_dev->qp_table); free_qpn_table(&rdi->qp_dev->qpn_table);