RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup - kernel/linux.git

diff options

author	Zhu Yanjun <yanjun.zhu@linux.dev>	2022-07-06 01:54:14 +0300
committer	Leon Romanovsky <leonro@nvidia.com>	2022-07-18 14:32:39 +0300
commit	37da51efe6eaa0560f46803c8c436a48a2084da7 (patch)
tree	9fdacfc82cd4e6fe5aeacb5154467dce6f24419b /tools/perf/scripts/python/stackcollapse.py
parent	3056fc6c32e613b760422b94c7617ac9a24a4721 (diff)
download	linux-37da51efe6eaa0560f46803c8c436a48a2084da7.tar.xz

RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup

The function rxe_create_qp calls rxe_qp_from_init. If some error occurs, the error handler of function rxe_qp_from_init will set both scq and rcq to NULL. Then rxe_create_qp calls rxe_put to handle qp. In the end, rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error. The call graph is as below: rxe_create_qp { ... rxe_qp_from_init { ... err1: ... qp->rcq = NULL; <---rcq is set to NULL qp->scq = NULL; <---scq is set to NULL ... } qp_init: rxe_put{ ... rxe_qp_do_cleanup { ... atomic_dec(&qp->scq->num_wq); <--- scq is accessed ... atomic_dec(&qp->rcq->num_wq); <--- rcq is accessed } } Fixes: 4703b4f0d94a ("RDMA/rxe: Enforce IBA C11-17") Link: https://lore.kernel.org/r/20220705225414.315478-1-yanjun.zhu@linux.dev Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev> Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>

Diffstat (limited to 'tools/perf/scripts/python/stackcollapse.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: