Patch "RDMA/rxe: Fix ref count error in check_rkey()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 18 Jun 2023 10:15:13 -0400

This is a note to let you know that I've just added the patch titled

    RDMA/rxe: Fix ref count error in check_rkey()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-rxe-fix-ref-count-error-in-check_rkey.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a5e24014555d7b614d55cb93b8abed5f88bdb143
Author: Bob Pearson <rpearsonhpe@xxxxxxxxx>
Date:   Wed May 17 16:15:10 2023 -0500

    RDMA/rxe: Fix ref count error in check_rkey()
    
    [ Upstream commit b00683422fd79dd07c9b75efdce1660e5e19150e ]
    
    There is a reference count error in error path code and a potential race
    in check_rkey() in rxe_resp.c. When looking up the rkey for a memory
    window the reference to the mw from rxe_lookup_mw() is dropped before a
    reference is taken on the mr referenced by the mw. If the mr is destroyed
    immediately after the call to rxe_put(mw) the mr pointer is unprotected
    and may end up pointing at freed memory. The rxe_get(mr) call should take
    place before the rxe_put(mw) call.
    
    All errors in check_rkey() call rxe_put(mw) if mw is not NULL but it was
    already called after the above. The mw pointer should be set to NULL after
    the rxe_put(mw) call to prevent this from happening.
    
    Fixes: cdd0b85675ae ("RDMA/rxe: Implement memory access through MWs")
    Link: https://lore.kernel.org/r/20230517211509.1819998-1-rpearsonhpe@xxxxxxxxx
    Signed-off-by: Bob Pearson <rpearsonhpe@xxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
index 693081e813ec0..9f65c346d8432 100644
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -466,8 +466,9 @@ static enum resp_states check_rkey(struct rxe_qp *qp,
 		if (mw->access & IB_ZERO_BASED)
 			qp->resp.offset = mw->addr;
 
-		rxe_put(mw);
 		rxe_get(mr);
+		rxe_put(mw);
+		mw = NULL;
 	} else {
 		mr = lookup_mr(qp->pd, access, rkey, RXE_LOOKUP_REMOTE);
 		if (!mr) {






