On Wed, May 17, 2023 at 04:15:10PM -0500, Bob Pearson wrote:
> There is a reference count error in error path code and a
> potential race in check_rkey() in rxe_resp.c. When looking
> up the rkey for a memory window the reference to the mw from
> rxe_lookup_mw() is dropped before a reference is taken on the
> mr referenced by the mw. If the mr is destroyed immediately
> after the call to rxe_put(mw) the mr pointer is unprotected
> and may end up pointing at freed memory. The rxe_get(mr) call
> should take place before the rxe_put(mw) call.
>
> All errors in check_rkey() call rxe_put(mw) if mw is not NULL
> but it was already called after the above. The mw pointer
> should be set to NULL after the rxe_put(mw) call to prevent
> this from happening.
>
> This patch corrects these errors.
>
> Fixes: cdd0b85675ae ("RDMA/rxe: Implement memory access through MWs")
> Signed-off-by: Bob Pearson <rpearsonhpe@xxxxxxxxx>
> ---
> drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Applied to for-rc, thanks
Jason
