iw_cxgb4: only allow 1 flush on user qps
commit
308aa2b8f7b7db3332a7d41099fd37851fb793b2 upstream.
Once the qp has been flushed, it cannot be flushed again. The user qp
flush logic wasn't enforcing it however. The bug can cause
touch-after-free crashes like:
Unable to handle kernel paging request for data at address 0x000001ec
Faulting instruction address: 0xc008000016069100
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [
c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
LR [
c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
Call Trace:
[
c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
[
c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
[
c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
[
c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
[
c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
[
c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
[
c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
[
c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
[
c000000000444da4] __fput+0xe4/0x2f0
So fix flush_qp() to only flush the wq once.
Cc: stable@vger.kernel.org
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
projects / linux / commit