Commit 5c75d608 authored Sep 20, 2022 by Bernard Metzler Committed by Greg Kroah-Hartman Oct 26, 2022

RDMA/siw: Fix QP destroy to wait for all references dropped.



[ Upstream commit a3c27880 ]

Delay QP destroy completion until all siw references to QP are
dropped. The calling RDMA core will free QP structure after
successful return from siw_qp_destroy() call, so siw must not
hold any remaining reference to the QP upon return.
A use-after-free was encountered in xfstest generic/460, while
testing NFSoRDMA. Here, after a TCP connection drop by peer,
the triggered siw_cm_work_handler got delayed until after
QP destroy call, referencing a QP which has already freed.

Fixes: 303ae1cd ("rdma/siw: application interface")
Reported-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
Link: https://lore.kernel.org/r/20220920082503.224189-1-bmt@zurich.ibm.com


Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 308cd50f

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit a60104c6
· Nov 05, 2025

mentioned in commit a60104c6

mentioned in commit a60104c6cc760317a6bf12c471e0696d492d5549

Toggle commit list

Please to comment