• Leon Romanovsky's avatar
    RDMA/mlx5: Don't access ib_qp fields in internal destroy QP path · 6c41965d
    Leon Romanovsky authored
    destroy_qp_common is called for flows where QP is already created by
    HW. While it is called from IB/core, the ibqp.* fields will be fully
    initialized, but it is not the case if this function is called during QP
    creation.
    
    Don't rely on ibqp fields as much as possible and initialize
    send_cq/recv_cq as temporal solution till all drivers will be converted to
    IB/core QP allocation scheme.
    
    refcount_t: underflow; use-after-free.
    WARNING: CPU: 1 PID: 5372 at lib/refcount.c:28 refcount_warn_saturate+0xfe/0x1a0
    Kernel panic - not syncing: panic_on_warn set ...
    CPU: 1 PID: 5372 Comm: syz-executor.2 Not tainted 5.5.0-rc5 #2
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
    Call Trace:
     mlx5_core_put_rsc+0x70/0x80
     destroy_resource_common+0x8e/0xb0
     mlx5_core_destroy_qp+0xaf/0x1d0
     mlx5_ib_destroy_qp+0xeb0/0x1460
     ib_destroy_qp_user+0x2d5/0x7d0
     create_qp+0xed3/0x2130
     ib_uverbs_create_qp+0x13e/0x190
     ? ib_uverbs_ex_create_qp
     ib_uverbs_write+0xaa5/0xdf0
     __vfs_write+0x7c/0x100
     ksys_write+0xc8/0x200
     do_syscall_64+0x9c/0x390
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 08d53976 ("RDMA/mlx5: Copy response to the user in one place")
    Link: https://lore.kernel.org/r/20200617130148.2846643-1-leon@kernel.orgSigned-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
    Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    6c41965d
qp.c 147 KB