[PATCH rdma-next] RDMA/mlx5: Fix NULL pointer dereference on INTEGRITY MR dereg retry

Linux RDMA and InfiniBand development
 help / color / mirror / Atom feed

* [PATCH rdma-next] RDMA/mlx5: Fix NULL pointer dereference on INTEGRITY MR dereg retry
@ 2026-06-08  5:07 Tao Cui
  2026-06-09  9:59 ` Michael Gur
  0 siblings, 1 reply; 2+ messages in thread
From: Tao Cui @ 2026-06-08  5:07 UTC (permalink / raw)
  To: leon, jgg, linux-rdma; +Cc: Tao Cui

From: Tao Cui <cuitao@kylinos.cn>

In __mlx5_ib_dereg_mr(), the INTEGRITY MR cleanup block destroys PSVs
and frees mr->sig before calling mlx5r_handle_mkey_cleanup(). If the
mkey destroy fails and the function is retried, mr->sig is already
NULL but the PSV destroy code dereferences it unconditionally.

Add a NULL check on mr->sig to guard the PSV destroy and kfree block,
making the retry path safe. This is consistent with the existing NULL
checks on mr->mtt_mr and mr->klm_mr in the same cleanup block.

Fixes: e6fb246ccafb ("RDMA/mlx5: Consolidate MR destruction to mlx5_ib_dereg_mr()")
Signed-off-by: Tao Cui <cuitao@kylinos.cn>
---
 drivers/infiniband/hw/mlx5/mr.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
index 254e6aa4ccaf..3b5216752017 100644
--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -1436,15 +1436,18 @@ static int __mlx5_ib_dereg_mr(struct ib_mr *ibmr)
 			mr->klm_mr = NULL;
 		}
 
-		if (mlx5_core_destroy_psv(dev->mdev,
-					  mr->sig->psv_memory.psv_idx))
-			mlx5_ib_warn(dev, "failed to destroy mem psv %d\n",
-				     mr->sig->psv_memory.psv_idx);
-		if (mlx5_core_destroy_psv(dev->mdev, mr->sig->psv_wire.psv_idx))
-			mlx5_ib_warn(dev, "failed to destroy wire psv %d\n",
-				     mr->sig->psv_wire.psv_idx);
-		kfree(mr->sig);
-		mr->sig = NULL;
+		if (mr->sig) {
+			if (mlx5_core_destroy_psv(dev->mdev,
+						  mr->sig->psv_memory.psv_idx))
+				mlx5_ib_warn(dev, "failed to destroy mem psv %d\n",
+					     mr->sig->psv_memory.psv_idx);
+			if (mlx5_core_destroy_psv(dev->mdev,
+						  mr->sig->psv_wire.psv_idx))
+				mlx5_ib_warn(dev, "failed to destroy wire psv %d\n",
+					     mr->sig->psv_wire.psv_idx);
+			kfree(mr->sig);
+			mr->sig = NULL;
+		}
 	}
 
 	/* Stop DMA */
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH rdma-next] RDMA/mlx5: Fix NULL pointer dereference on INTEGRITY MR dereg retry
  2026-06-08  5:07 [PATCH rdma-next] RDMA/mlx5: Fix NULL pointer dereference on INTEGRITY MR dereg retry Tao Cui
@ 2026-06-09  9:59 ` Michael Gur
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Gur @ 2026-06-09  9:59 UTC (permalink / raw)
  To: Tao Cui, leon, jgg, linux-rdma; +Cc: Tao Cui


On 6/8/2026 8:07 AM, Tao Cui wrote:
> From: Tao Cui <cuitao@kylinos.cn>
>
> In __mlx5_ib_dereg_mr(), the INTEGRITY MR cleanup block destroys PSVs
> and frees mr->sig before calling mlx5r_handle_mkey_cleanup(). If the
> mkey destroy fails and the function is retried, mr->sig is already
> NULL but the PSV destroy code dereferences it unconditionally.
>
> Add a NULL check on mr->sig to guard the PSV destroy and kfree block,
> making the retry path safe. This is consistent with the existing NULL
> checks on mr->mtt_mr and mr->klm_mr in the same cleanup block.
This is unnecessary defensive coding.
The kernel verbs contract is that destroy should never fails for kernel 
callers, and ULPs do not retry on failure.
That already holds in-tree: no kernel caller inspects the dereg return 
value for anything beyond logging.

This convention is already present in the code for other verbs, see 
ib_destroy_cq() in include/rdma/ib_verbs.h, which WARN_ONCEs on kernel 
failure ("Destroy of kernel CQ shouldn't fail").

The motivation is spelled out in commit 43d781b9fa56 ("RDMA: Allow fail 
of destroy CQ").

Michael

> Fixes: e6fb246ccafb ("RDMA/mlx5: Consolidate MR destruction to mlx5_ib_dereg_mr()")
> Signed-off-by: Tao Cui <cuitao@kylinos.cn>
> ---
>   drivers/infiniband/hw/mlx5/mr.c | 21 ++++++++++++---------
>   1 file changed, 12 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
> index 254e6aa4ccaf..3b5216752017 100644
> --- a/drivers/infiniband/hw/mlx5/mr.c
> +++ b/drivers/infiniband/hw/mlx5/mr.c
> @@ -1436,15 +1436,18 @@ static int __mlx5_ib_dereg_mr(struct ib_mr *ibmr)
>   			mr->klm_mr = NULL;
>   		}
>   
> -		if (mlx5_core_destroy_psv(dev->mdev,
> -					  mr->sig->psv_memory.psv_idx))
> -			mlx5_ib_warn(dev, "failed to destroy mem psv %d\n",
> -				     mr->sig->psv_memory.psv_idx);
> -		if (mlx5_core_destroy_psv(dev->mdev, mr->sig->psv_wire.psv_idx))
> -			mlx5_ib_warn(dev, "failed to destroy wire psv %d\n",
> -				     mr->sig->psv_wire.psv_idx);
> -		kfree(mr->sig);
> -		mr->sig = NULL;
> +		if (mr->sig) {
> +			if (mlx5_core_destroy_psv(dev->mdev,
> +						  mr->sig->psv_memory.psv_idx))
> +				mlx5_ib_warn(dev, "failed to destroy mem psv %d\n",
> +					     mr->sig->psv_memory.psv_idx);
> +			if (mlx5_core_destroy_psv(dev->mdev,
> +						  mr->sig->psv_wire.psv_idx))
> +				mlx5_ib_warn(dev, "failed to destroy wire psv %d\n",
> +					     mr->sig->psv_wire.psv_idx);
> +			kfree(mr->sig);
> +			mr->sig = NULL;
> +		}
>   	}
>   
>   	/* Stop DMA */

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-09  9:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08  5:07 [PATCH rdma-next] RDMA/mlx5: Fix NULL pointer dereference on INTEGRITY MR dereg retry Tao Cui
2026-06-09  9:59 ` Michael Gur

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox