Commit 8ecef789 authored Jul 05, 2022 by Mustafa Ismail Committed by Leon Romanovsky Jul 18, 2022

RDMA/irdma: Fix a window for use-after-free

During a destroy CQ an interrupt may cause processing of a CQE after CQ
resources are freed by irdma_cq_free_rsrc(). Fix this by moving the call
to irdma_cq_free_rsrc() after the irdma_sc_cleanup_ceqes(), which is
called under the cq_lock.

Fixes: b48c24c2 ("RDMA/irdma: Implement device supported verb APIs")
Link: https://lore.kernel.org/r/20220705230815.265-6-shiraz.saleem@intel.com


Signed-off-by: Bartosz Sobczak <bartosz.sobczak@intel.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>

parent c8c7c075

drivers/infiniband/hw/irdma/verbs.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1776,11 +1776,11 @@ static int irdma_destroy_cq(struct ib_cq ib_cq, struct ib_udata udata)
		spin_unlock_irqrestore(&iwcq->lock, flags);

		irdma_cq_wq_destroy(iwdev->rf, cq);
		irdma_cq_free_rsrc(iwdev->rf, iwcq);

		spin_lock_irqsave(&iwceq->ce_lock, flags);
		irdma_sc_cleanup_ceqes(cq, ceq);
		spin_unlock_irqrestore(&iwceq->ce_lock, flags);
		irdma_cq_free_rsrc(iwdev->rf, iwcq);

		return 0;
		}