If a call to rxe_create_qp() fails in rxe_qp_from_init() rxe_cleanup(qp) will be called. This code currently does not correctly handle cases where not all qp resources are allocated and can seg fault as reported below. The first two patches cleanup cases where this happens. The third patch corrects an error in rxe_srq.c where if caller requests a change in the srq size the correct new value is not returned to caller. Reported-by: syzbot+2da1965168e7dbcba136@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://lore.kernel.org/linux-rdma/00000000000012d89205fe7cfe00@xxxxxxxxxx/raw Fixes: 49dc9c1f0c7e ("RDMA/rxe: Cleanup reset state handling in rxe_resp.c") Fixes: fbdeb828a21f ("RDMA/rxe: Cleanup error state handling in rxe_comp.c") Signed-off-by: Bob Pearson <rpearsonhpe@xxxxxxxxx> Bob Pearson (3): RDMA/rxe: Move work queue code to subroutines RDMA/rxe: Fix unsafe drain work queue code RDMA/rxe: Fix rxe_modify_srq drivers/infiniband/sw/rxe/rxe_comp.c | 4 + drivers/infiniband/sw/rxe/rxe_loc.h | 6 - drivers/infiniband/sw/rxe/rxe_qp.c | 163 ++++++++++++++++++--------- drivers/infiniband/sw/rxe/rxe_resp.c | 4 + drivers/infiniband/sw/rxe/rxe_srq.c | 55 +++++---- 5 files changed, 150 insertions(+), 82 deletions(-) base-commit: 830f93f47068b1632cc127871fbf27e918efdf46 -- 2.39.2
