On 8/21/22 20:16, yanjun.zhu@xxxxxxxxx wrote:
> From: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
>
> When rxe_queue_init in the function rxe_qp_init_req fails,
> both qp->req.task.func and qp->req.task.arg are not initialized.
>
> Because of creation of qp fails, the function rxe_create_qp will
> call rxe_qp_do_cleanup to handle allocated resource.
>
> Before calling __rxe_do_task, both qp->req.task.func and
> qp->req.task.arg should be checked.
>
> Fixes: 8700e3e7c485 ("Soft RoCE driver")
> Reported-by: syzbot+ab99dc4c6e961eed8b8e@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
> ---
> drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
> index 516bf9b95e48..f10b461b9963 100644
> --- a/drivers/infiniband/sw/rxe/rxe_qp.c
> +++ b/drivers/infiniband/sw/rxe/rxe_qp.c
> @@ -797,7 +797,9 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
> rxe_cleanup_task(&qp->comp.task);
>
> /* flush out any receive wr's or pending requests */
> - __rxe_do_task(&qp->req.task);
> + if (qp->req.task.func && qp->req.task.arg)
func would be enough since they get set together. But, this is still fine since not performance critical.
> + __rxe_do_task(&qp->req.task);
> +
> if (qp->sq.queue) {
> __rxe_do_task(&qp->comp.task);
> __rxe_do_task(&qp->req.task);
Reviewed-by: Bob Pearson <rpearsonhpe@xxxxxxxxx>
