Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp4557044rwi; Mon, 17 Oct 2022 07:48:15 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5wcGe+dQep4KJHnGUV09CjdO+UW+WJDAEYdzFiALaO78wdIZFIZ/QVZMU6JmAple5GTEjY X-Received: by 2002:a17:902:6bc6:b0:183:e8a2:9760 with SMTP id m6-20020a1709026bc600b00183e8a29760mr12340914plt.157.1666018094988; Mon, 17 Oct 2022 07:48:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666018094; cv=none; d=google.com; s=arc-20160816; b=IXaf2Nx/sGWDZV7nEmbgG3E8ynK5Ev0BQzg+bN9sLruIuoo0enPF8zdxijOiaesDXF d7VKYY/TZ/EoR4Be2CfJ5thQnjG5HjeGP7O0KmPDrdSGYazT8/b++Z9YSDj0E0hhRb2m xiWP6qRfKF8F353Wxh8LZuXUfRP5to5/a9A1fZtzwT1HcoAueS6/TsagzSC59mRIiojA o2rmuni1QSfWNPrYLl+k54+K0fGCNJGJx6tTWod54VIimVbPSxNwFIraN0hXsNXoEkky WSspPiWme0ukTFxI9qgwVfIO3ak24SKGgk6NSwcVw534h1iWVU5nZBRLDelK/8xCAH+p cc8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=p9cftWrabE+OgPfZ1NRZ+5A9AqDDE/Csory8jBYw700=; b=e55rjHYF4tbVa0kcZcJUtw34rIWbRJp2Tsi4xwBTgRHho/ora4iYOs7VD2ertJOKSV U4ywcdouOh+Zo31W1YlU0incvHWVdMBPpeoKRfXltNkhGwW/U502y3notxNTFmpuXWdf /F8OOhCcWPNIilx4hN4YpT5KgMdxX36TN3VJxVtb/fOtWi4+BfOQEgrH39KvZhFAI+JE kSKhhp5IaZ02k7QBOWmJwVeiIBcDFa4z5INv3iK8z+cWtnu5KfLpNMOuJWASRxD1mb0k z4o8nIeN/0JHd7qahpz2SuXX/kiQR1Ry4WG+l11O9BWLhHRMEHvPbft8SkXC6DNl/i3v nwpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h123-20020a636c81000000b0045a62fd80e8si11866534pgc.468.2022.10.17.07.48.01; Mon, 17 Oct 2022 07:48:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230264AbiJQO2D (ORCPT + 99 others); Mon, 17 Oct 2022 10:28:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229738AbiJQO2B (ORCPT ); Mon, 17 Oct 2022 10:28:01 -0400 X-Greylist: delayed 62 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 17 Oct 2022 07:27:59 PDT Received: from exchange.fintech.ru (e10edge.fintech.ru [195.54.195.159]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37A9E6581A; Mon, 17 Oct 2022 07:27:59 -0700 (PDT) Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Mon, 17 Oct 2022 17:26:54 +0300 Received: from KANASHIN1.fintech.ru (10.0.253.125) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 17 Oct 2022 17:26:53 +0300 From: Natalia Petrova To: Dennis Dalessandro , "Jason Gunthorpe" , Leon Romanovsky CC: Natalia Petrova , , , , "Alexey Khoroshilov" Subject: [PATCH] rdmavt: avoid NULL pointer dereference in rvt_qp_exit() Date: Mon, 17 Oct 2022 17:26:52 +0300 Message-ID: <20221017142652.13906-1-n.petrova@fintech.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.0.253.125] X-ClientProxiedBy: Ex16-01.fintech.ru (10.0.10.18) To Ex16-01.fintech.ru (10.0.10.18) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org rvt_qp_exit() checks 'rdi->qp_dev' for NULL, but the pointer is dereferenced before that in rvt_free_all_qps(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: f92e48718889 ("IB/rdmavt: Reset all QPs when the device is shut down") Signed-off-by: Natalia Petrova Signed-off-by: Alexey Khoroshilov --- drivers/infiniband/sw/rdmavt/qp.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c index 3acab569fbb9..06e755975f61 100644 --- a/drivers/infiniband/sw/rdmavt/qp.c +++ b/drivers/infiniband/sw/rdmavt/qp.c @@ -459,13 +459,16 @@ static unsigned rvt_free_all_qps(struct rvt_dev_info *rdi) */ void rvt_qp_exit(struct rvt_dev_info *rdi) { - u32 qps_inuse = rvt_free_all_qps(rdi); + u32 qps_inuse = 0; + + if (!rdi->qp_dev) + return; + + qps_inuse = rvt_free_all_qps(rdi); if (qps_inuse) rvt_pr_err(rdi, "QP memory leak! %u still in use\n", qps_inuse); - if (!rdi->qp_dev) - return; kfree(rdi->qp_dev->qp_table); free_qpn_table(&rdi->qp_dev->qpn_table); -- 2.34.1