Re: [PATCHv4 1/1] RDMA/rxe: Fix qp error handler

Jason Gunthorpe <jgg@xxxxxxxxxx> · Tue, 2 Aug 2022 14:33:11 -0300



On Sun, Jul 31, 2022 at 02:36:21AM -0400, yanjun.zhu@xxxxxxxxx wrote:
> From: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
> 
> This problem is in this link:
> news://nntp.lore.kernel.org:119/0000000000006ed46805dfaded18@xxxxxxxxxx
> 
> this is an error unwind problem.
> 
> In the function rxe_create_qp, rxe_qp_from_init is called to initialize qp.
> rxe_qp_init_req is called by rxe_qp_from_init. If an error occurs before
> spin_lock_init in rxe_qp_init_req, several spin locks are not initialized.
> Then rxe_create_qp finally calls rxe_cleanup(qp) to handle errors.
> 
> In the end, rxe_qp_do_cleanup is called. In this function, rxe_cleanup_task
> will call spin_lock_bh. But task->state_lock is not initialized.
> 
> As such, an uninitialized spin lock is called by spin_lock_bh.
> 
> rxe_create_qp {
>         ...
>         err = rxe_qp_from_init(rxe, qp, pd, init, uresp, ibqp->pd, udata);
>         if (err)
>                 goto qp_init;
>         ...
>         return 0;
> 
> qp_init:
>         rxe_cleanup(qp);
>         return err;
> }
> 
> rxe_qp_do_cleanup {
>   ...
>   rxe_cleanup_task {
>     ...
>     spin_lock_bh(&task->state_lock);
>     ...
>   }
> }
> 
> rxe_qp_from_init {
> ...
>         rxe_qp_init_misc(rxe, qp, init);
> 
>         err = rxe_qp_init_req{
>                 ...
>                 spin_lock_init(&qp->sq.sq_lock);
>                 ...
>                 rxe_init_task{
>                   ...
>                   spin_lock_init(&task->state_lock);
>                   ...
>                 }
>               }
>         if (err)
>                 goto err1;
> 
>         err = rxe_qp_init_resp {
>                 ...
>                 spin_lock_init(&qp->rq.producer_lock);
>                 spin_lock_init(&qp->rq.consumer_lock);
>                 ...
>                 rxe_init_task {
>                   ...
>                   spin_lock_init(&task->state_lock);
>                   ...
>                 }
>               }
> 
>         if (err)
>                 goto err2;
> ...
>         return 0;
> 
> err2:
>         ...
> err1:
>         ...
>         return err;
> }
> 
> About 7 spin locks in qp creation needs to be initialized. Now these
> spin locks are initialized in the function rxe_qp_init_misc. This
> will avoid the error "initialize spin locks before use".
> 
> Fixes: 8700e3e7c485 ("Soft RoCE driver")
> Reported-by: syzbot+833061116fa28df97f3b@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
> ---
>  drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)

Applied to for-next, thanks

Jason