From: Jason Gunthorpe <jgg@nvidia.com>
To: Junrui Luo <moonafterrain@outlook.com>
Cc: Leon Romanovsky <leon@kernel.org>,
Jianbo Liu <jianbol@nvidia.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuhao Jiang <danisjiang@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
Date: Tue, 28 Apr 2026 12:48:45 -0300 [thread overview]
Message-ID: <20260428154845.GA2767188@nvidia.com> (raw)
In-Reply-To: <SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Fri, Apr 24, 2026 at 01:51:02PM +0800, Junrui Luo wrote:
> mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
> ib_create_srq() fails for s1, the error branch destroys s0 but falls
> through and unconditionally assigns the freed s0 and the ERR_PTR s1
> to devr->s0 and devr->s1.
>
> This leads to several problems: the lock-free fast path checks
> "if (devr->s1) return 0;" and treats the ERR_PTR as already
> initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or
> ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup()
> dereferences the ERR_PTR and double-frees s0 on teardown.
>
> Fix by adding the same `goto unlock` in the s1 failure path.
>
> Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
> drivers/infiniband/hw/mlx5/main.c | 1 +
> 1 file changed, 1 insertion(+)
Applied to for rc
Thanks,
Jason
prev parent reply other threads:[~2026-04-28 15:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 5:51 [PATCH] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Junrui Luo
2026-04-28 15:48 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428154845.GA2767188@nvidia.com \
--to=jgg@nvidia.com \
--cc=danisjiang@gmail.com \
--cc=jianbol@nvidia.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=moonafterrain@outlook.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.