Re: [PATCH 1/1] RDMA/rxe: Fix qp error handler

[Haris Iqbal <haris.iqbal@xxxxxxxxx>]

On Wed, May 25, 2022 at 12:28 PM <yanjun.zhu@xxxxxxxxx> wrote:
>
> From: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
>
> Move the qp error handler to be near the rxe_create_qp.
>
> Reported-by: syzbot+833061116fa28df97f3b@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
> ---
>  drivers/infiniband/sw/rxe/rxe_qp.c    | 14 ++++++++++----
>  drivers/infiniband/sw/rxe/rxe_verbs.c |  1 -
>  2 files changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
> index 22e9b85344c3..f73ca567a8b3 100644
> --- a/drivers/infiniband/sw/rxe/rxe_qp.c
> +++ b/drivers/infiniband/sw/rxe/rxe_qp.c
> @@ -220,8 +220,7 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp,
>                            &qp->sq.queue->ip);
>
>         if (err) {
> -               vfree(qp->sq.queue->buf);
> -               kfree(qp->sq.queue);
> +               rxe_queue_cleanup(qp->sq.queue);
>                 qp->sq.queue = NULL;
>                 return err;
>         }
> @@ -277,8 +276,7 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp,
>                                    qp->rq.queue->buf, qp->rq.queue->buf_size,
>                                    &qp->rq.queue->ip);
>                 if (err) {
> -                       vfree(qp->rq.queue->buf);
> -                       kfree(qp->rq.queue);
> +                       rxe_queue_cleanup(qp->rq.queue);
>                         qp->rq.queue = NULL;
>                         return err;
>                 }
> @@ -341,6 +339,14 @@ int rxe_qp_from_init(struct rxe_dev *rxe, struct rxe_qp *qp, struct rxe_pd *pd,
>         return 0;
>
>  err2:
> +       if (qp_type(qp) == IB_QPT_RC) {
> +               del_timer_sync(&qp->retrans_timer);
> +               del_timer_sync(&qp->rnr_nak_timer);
> +       }
> +
> +       rxe_cleanup_task(&qp->req.task);
> +       rxe_cleanup_task(&qp->comp.task);
> +
>         rxe_queue_cleanup(qp->sq.queue);
>         qp->sq.queue = NULL;
>  err1:
> diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
> index 9d995854a174..d0bc195b572f 100644
> --- a/drivers/infiniband/sw/rxe/rxe_verbs.c
> +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
> @@ -432,7 +432,6 @@ static int rxe_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *init,
>         return 0;
>
>  qp_init:
> -       rxe_put(qp);

Does this mean that in case rxe_qp_init_resp fails (rxe_qp_init_req
had succeeded), we will NOT end up calling rxe_qp_do_cleanup? If so,
would we miss shutting down and releasing qp->sk?

>         return err;
>  }
>
> --
> 2.31.1
>