Patch "RDMA/irdma: Prevent QP use after free" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 5 Jun 2023 07:45:31 -0400

This is a note to let you know that I've just added the patch titled

    RDMA/irdma: Prevent QP use after free

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-irdma-prevent-qp-use-after-free.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 56adeff866f05b2524f45a1107a442f1f69c05c4
Author: Mustafa Ismail <mustafa.ismail@xxxxxxxxx>
Date:   Mon May 22 10:56:53 2023 -0500

    RDMA/irdma: Prevent QP use after free
    
    [ Upstream commit c8f304d75f6c6cc679a73f89591f9a915da38f09 ]
    
    There is a window where the poll cq may use a QP that has been freed.
    This can happen if a CQE is polled before irdma_clean_cqes() can clear the
    CQE's related to the QP and the destroy QP races to free the QP memory.
    then the QP structures are used in irdma_poll_cq.  Fix this by moving the
    clearing of CQE's before the reference is removed and the QP is destroyed.
    
    Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
    Link: https://lore.kernel.org/r/20230522155654.1309-3-shiraz.saleem@xxxxxxxxx
    Signed-off-by: Mustafa Ismail <mustafa.ismail@xxxxxxxxx>
    Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index e4c5fe4aa806a..7745740e737a3 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -509,11 +509,6 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
 	if (!iwqp->user_mode)
 		cancel_delayed_work_sync(&iwqp->dwork_flush);
 
-	irdma_qp_rem_ref(&iwqp->ibqp);
-	wait_for_completion(&iwqp->free_qp);
-	irdma_free_lsmm_rsrc(iwqp);
-	irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
-
 	if (!iwqp->user_mode) {
 		if (iwqp->iwscq) {
 			irdma_clean_cqes(iwqp, iwqp->iwscq);
@@ -521,6 +516,12 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
 				irdma_clean_cqes(iwqp, iwqp->iwrcq);
 		}
 	}
+
+	irdma_qp_rem_ref(&iwqp->ibqp);
+	wait_for_completion(&iwqp->free_qp);
+	irdma_free_lsmm_rsrc(iwqp);
+	irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
+
 	irdma_remove_push_mmap_entries(iwqp);
 	irdma_free_qp_rsrc(iwqp);
 






