From: wenglianfa <wenglianfa@huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICJYA1 ---------------------------------------------------------------------- rsv_qp will be double destroyed in error flow, first in free_mr_init(), and then in hns_roce_exit(). Here fix it. list_del corruption, ffff589732eb9b50->next is LIST_POISON1 ... Call trace: __list_del_entry_valid+0x148/0x240 hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2] hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2] hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2] free_mr_exit+0x6c/0x120 [hns_roce_hw_v2] hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2] hns_roce_exit+0x118/0x350 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2] hclge_notify_roce_client+0x6c/0x160 [hclge] hclge_reset_rebuild+0x150/0x5c0 [hclge] hclge_reset+0x10c/0x140 [hclge] hclge_reset_subtask+0x80/0x104 [hclge] hclge_reset_service_task+0x168/0x3ac [hclge] hclge_service_task+0x50/0x100 [hclge] process_one_work+0x250/0x9a0 worker_thread+0x324/0x990 kthread+0x190/0x210 ret_from_fork+0x10/0x18 Fixes: ec799ad0f9d3 ("RDMA/hns: Fix Use-After-Free of rsv_qp") Signed-off-by: wenglianfa <wenglianfa@huawei.com> Signed-off-by: Donghua Huang <huangdonghua3@h-partners.com> --- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 25 +++++++++++----------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index e91fbc39d7b0..b91400e2bd5a 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -3357,11 +3357,20 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) { int ret; + if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { + ret = free_mr_init(hr_dev); + if (ret) { + dev_err(hr_dev->dev, "failed to init free mr!\n"); + return ret; + } + } + + ret = hns_roce_v2_get_reset_page(hr_dev); if (ret) { dev_err(hr_dev->dev, "reset state init failed, ret = %d.\n", ret); - return ret; + goto error_get_reset_page_failed; } /* The hns ROCEE requires the extdb info to be cleared before using */ @@ -3390,6 +3399,9 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) put_hem_table(hr_dev); err_clear_extdb_failed: hns_roce_v2_put_reset_page(hr_dev); +error_get_reset_page_failed: + if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) + free_mr_exit(hr_dev); return ret; } @@ -8013,21 +8025,10 @@ static int __hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) goto error_failed_roce_init; } - if (pdev->revision == PCI_REVISION_ID_HIP08) { - ret = free_mr_init(hr_dev); - if (ret) { - dev_err(hr_dev->dev, "failed to init free mr!\n"); - goto error_failed_free_mr_init; - } - } - handle->priv = hr_dev; return 0; -error_failed_free_mr_init: - hns_roce_exit(hr_dev, true); - error_failed_roce_init: kfree(hr_dev->priv); -- 2.33.0