mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-06 16:49:22 +00:00
RDMA/irdma: Prevent QP use after free
[ Upstream commitc8f304d75f
] There is a window where the poll cq may use a QP that has been freed. This can happen if a CQE is polled before irdma_clean_cqes() can clear the CQE's related to the QP and the destroy QP races to free the QP memory. then the QP structures are used in irdma_poll_cq. Fix this by moving the clearing of CQE's before the reference is removed and the QP is destroyed. Fixes:b48c24c2d7
("RDMA/irdma: Implement device supported verb APIs") Link: https://lore.kernel.org/r/20230522155654.1309-3-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com> Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
3cf7747414
commit
07322c8a12
1 changed files with 6 additions and 5 deletions
|
@ -522,11 +522,6 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
|
||||||
if (!iwqp->user_mode)
|
if (!iwqp->user_mode)
|
||||||
cancel_delayed_work_sync(&iwqp->dwork_flush);
|
cancel_delayed_work_sync(&iwqp->dwork_flush);
|
||||||
|
|
||||||
irdma_qp_rem_ref(&iwqp->ibqp);
|
|
||||||
wait_for_completion(&iwqp->free_qp);
|
|
||||||
irdma_free_lsmm_rsrc(iwqp);
|
|
||||||
irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
|
|
||||||
|
|
||||||
if (!iwqp->user_mode) {
|
if (!iwqp->user_mode) {
|
||||||
if (iwqp->iwscq) {
|
if (iwqp->iwscq) {
|
||||||
irdma_clean_cqes(iwqp, iwqp->iwscq);
|
irdma_clean_cqes(iwqp, iwqp->iwscq);
|
||||||
|
@ -534,6 +529,12 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
|
||||||
irdma_clean_cqes(iwqp, iwqp->iwrcq);
|
irdma_clean_cqes(iwqp, iwqp->iwrcq);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
irdma_qp_rem_ref(&iwqp->ibqp);
|
||||||
|
wait_for_completion(&iwqp->free_qp);
|
||||||
|
irdma_free_lsmm_rsrc(iwqp);
|
||||||
|
irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
|
||||||
|
|
||||||
irdma_remove_push_mmap_entries(iwqp);
|
irdma_remove_push_mmap_entries(iwqp);
|
||||||
irdma_free_qp_rsrc(iwqp);
|
irdma_free_qp_rsrc(iwqp);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue