• Andrew Boyer's avatar
    IB/rxe: Disable completion upcalls when a CQ is destroyed · bfc3ae05
    Andrew Boyer authored
    This prevents the stack from accessing userspace objects while they
    are being torn down.
    
    One possible sequence of events:
     - Userspace program exits
     - ib_uverbs_cleanup_ucontext() runs, calling ib_destroy_qp(),
       ib_destroy_cq(), etc. and releasing/freeing the UCQ
       - The QP still has tasklets running, so it isn't destroyed yet
       - The CQ is referenced by the QP, so the CQ isn't destroyed yet
       - The UCQ is kfree()'d anyway
     - A send work request completes
     - rxe_send_complete() calls cq->ibcq.comp_handler()
     - ib_uverbs_comp_handler() runs and crashes; the event queue is checked
       for is_closed, but it has no way to check the ib_ucq_object before
       accessing it
    
    The reference counting on the CQ doesn't protect against this since the CQ
    hasn't been destroyed yet.
    There's no available interface to deregister the UCQ from the CQ, and it
    didn't appear that attempting to add reference counting to the UCQ was
    going to be a good way to go since this solution is much simpler.
    
    Fixes: 8700e3e7 ("Soft RoCE driver")
    Signed-off-by: default avatarAndrew Boyer <andrew.boyer@dell.com>
    Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    bfc3ae05
rxe_verbs.c 28.5 KB