From: Shay Drory <shayd@xxxxxxxxxx>
Currently, in case of QP, the following use-after-free is possible:
cpu0 cpu1
---- ----
res_get_common_dumpit()
rdma_restrack_get()
fill_res_qp_entry()
ib_destroy_qp_user()
rdma_restrack_del()
qp->device->ops.destroy_qp()
ib_query_qp()
qp->device->ops.query_qp()
--> use-after-free-qp
This is because rdma_restrack_del(), in case of QP, isn't waiting until
all users are gone.
Fix it by making rdma_restrack_del() wait until all users are gone for
QPs as well.
Fixes: 13ef5539def7 ("RDMA/restrack: Count references to the verbs objects")
Signed-off-by: Shay Drory <shayd@xxxxxxxxxx>
Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
---
drivers/infiniband/core/restrack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c
index ffabaf327242..def0c5b0efe9 100644
--- a/drivers/infiniband/core/restrack.c
+++ b/drivers/infiniband/core/restrack.c
@@ -340,7 +340,7 @@ void rdma_restrack_del(struct rdma_restrack_entry *res)
rt = &dev->res[res->type];
old = xa_erase(&rt->xa, res->id);
- if (res->type == RDMA_RESTRACK_MR || res->type == RDMA_RESTRACK_QP)
+ if (res->type == RDMA_RESTRACK_MR)
return;
WARN_ON(old != res);
--
2.30.2
