From: Zhu Yanjun <yanjun.zhu@xxxxxxxxx> This problem is in this link: news://nntp.lore.kernel.org:119/0000000000006ed46805dfaded18@xxxxxxxxxx this is an error unwind problem. In the function rxe_create_qp, rxe_qp_from_init is called to initialize qp. rxe_qp_init_req is called by rxe_qp_from_init. If an error occurs before spin_lock_init in rxe_qp_init_req, several spin locks are not initialized. Then rxe_create_qp finally calls rxe_cleanup(qp) to handle errors. In the end, rxe_qp_do_cleanup is called. In this function, rxe_cleanup_task will call spin_lock_bh. But task->state_lock is not initialized. As such, an uninitialized spin lock is called by spin_lock_bh. rxe_create_qp { ... err = rxe_qp_from_init(rxe, qp, pd, init, uresp, ibqp->pd, udata); if (err) goto qp_init; ... return 0; qp_init: rxe_cleanup(qp); return err; } rxe_qp_do_cleanup { ... rxe_cleanup_task { ... spin_lock_bh(&task->state_lock); ... } } rxe_qp_from_init { ... rxe_qp_init_misc(rxe, qp, init); err = rxe_qp_init_req{ ... spin_lock_init(&qp->sq.sq_lock); ... rxe_init_task{ ... spin_lock_init(&task->state_lock); ... } } if (err) goto err1; err = rxe_qp_init_resp { ... spin_lock_init(&qp->rq.producer_lock); spin_lock_init(&qp->rq.consumer_lock); ... rxe_init_task { ... spin_lock_init(&task->state_lock); ... } } if (err) goto err2; ... return 0; err2: ... err1: ... return err; } About 7 spin locks in qp creation needs to be initialized. Now these spin locks are initialized in the function rxe_qp_init_misc. This will avoid the error "initialize spin locks before use". Fixes: 8700e3e7c485 ("Soft RoCE driver") Reported-by: syzbot+833061116fa28df97f3b@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx> --- drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c index b79e1b43454e..7a223583cf8b 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -174,6 +174,14 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp, spin_lock_init(&qp->state_lock); + spin_lock_init(&qp->req.task.state_lock); + spin_lock_init(&qp->resp.task.state_lock); + spin_lock_init(&qp->comp.task.state_lock); + + spin_lock_init(&qp->sq.sq_lock); + spin_lock_init(&qp->rq.producer_lock); + spin_lock_init(&qp->rq.consumer_lock); + atomic_set(&qp->ssn, 0); atomic_set(&qp->skb_out, 0); } @@ -233,7 +241,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, qp->req.opcode = -1; qp->comp.opcode = -1; - spin_lock_init(&qp->sq.sq_lock); skb_queue_head_init(&qp->req_pkts); rxe_init_task(rxe, &qp->req.task, qp, @@ -284,9 +291,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, } } - spin_lock_init(&qp->rq.producer_lock); - spin_lock_init(&qp->rq.consumer_lock); - skb_queue_head_init(&qp->resp_pkts); rxe_init_task(rxe, &qp->resp.task, qp, -- 2.27.0
