On Tue, Jul 05, 2022 at 06:54:14PM -0400, yanjun.zhu@xxxxxxxxx wrote:
> From: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
>
> The function rxe_create_qp calls rxe_qp_from_init. If some error
> occurs, the error handler of function rxe_qp_from_init will set
> both scq and rcq to NULL.
>
> Then rxe_create_qp calls rxe_put to handle qp. In the end,
> rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly
> accesses scq and rcq before checking them. This will cause
> null-ptr-deref error.
>
> The call graph is as below:
>
> rxe_create_qp {
> ...
> rxe_qp_from_init {
> ...
> err1:
> ...
> qp->rcq = NULL; <---rcq is set to NULL
> qp->scq = NULL; <---scq is set to NULL
> ...
> }
>
> qp_init:
> rxe_put{
> ...
> rxe_qp_do_cleanup {
> ...
> atomic_dec(&qp->scq->num_wq); <--- scq is accessed
> ...
> atomic_dec(&qp->rcq->num_wq); <--- rcq is accessed
> }
> }
>
> Fixes: 4703b4f0d94a ("RDMA/rxe: Enforce IBA C11-17")
> Signed-off-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
> ---
> V1->V2: Describe the error flows.
> ---
> drivers/infiniband/sw/rxe/rxe_qp.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
Thanks, applied.
