• Steve Wise's avatar
    iw_cxgb4: only allow 1 flush on user qps · 82ea790a
    Steve Wise authored
    commit 308aa2b8 upstream.
    
    Once the qp has been flushed, it cannot be flushed again.  The user qp
    flush logic wasn't enforcing it however.  The bug can cause
    touch-after-free crashes like:
    
    Unable to handle kernel paging request for data at address 0x000001ec
    Faulting instruction address: 0xc008000016069100
    Oops: Kernel access of bad area, sig: 11 [#1]
    ...
    NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
    LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
    Call Trace:
    [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
    [c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
    [c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
    [c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
    [c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
    [c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
    [c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
    [c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
    [c000000000444da4] __fput+0xe4/0x2f0
    
    So fix flush_qp() to only flush the wq once.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarSteve Wise <swise@opengridcomputing.com>
    Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    82ea790a
qp.c 50.7 KB