review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Bernard Metzler <bmt@zurich.ibm.com>
	Tue, 20 Sep 2022 08:25:03 +0000 (10:25 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 26 Oct 2022 10:35:11 +0000 (12:35 +0200)
commit	5c75d608fad58301b63e7d69200c13c3a1d411da
tree	0f127cf78809ac12f53b808eb9840e6cfa9e53ab	tree \| snapshot
parent	308cd50f174c95a507527037f4de1a0396aa4325	commit \| diff

RDMA/siw: Fix QP destroy to wait for all references dropped.

[ Upstream commit a3c278807a459e6f50afee6971cabe74cccfb490 ]

Delay QP destroy completion until all siw references to QP are
dropped. The calling RDMA core will free QP structure after
successful return from siw_qp_destroy() call, so siw must not
hold any remaining reference to the QP upon return.
A use-after-free was encountered in xfstest generic/460, while
testing NFSoRDMA. Here, after a TCP connection drop by peer,
the triggered siw_cm_work_handler got delayed until after
QP destroy call, referencing a QP which has already freed.

Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
Reported-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
Link: https://lore.kernel.org/r/20220920082503.224189-1-bmt@zurich.ibm.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/infiniband/sw/siw/siw.h		diff \| blob \| history
drivers/infiniband/sw/siw/siw_qp.c		diff \| blob \| history
drivers/infiniband/sw/siw/siw_verbs.c		diff \| blob \| history