RDMA/rxe: Fix "kernel NULL pointer dereference" error

BugLink: https://bugs.launchpad.net/bugs/1996825
[ Upstream commit a625ca30eff806395175ebad3ac1399014bdb280 ]

When rxe_queue_init in the function rxe_qp_init_req fails,
both qp->req.task.func and qp->req.task.arg are not initialized.

Because of creation of qp fails, the function rxe_create_qp will
call rxe_qp_do_cleanup to handle allocated resource.

Before calling __rxe_do_task, both qp->req.task.func and
qp->req.task.arg should be checked.

Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev
Reported-by: syzbot+ab99dc4c6e961eed8b8e@syzkaller.appspotmail.com
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index 661b83d65af32def8763575bdbd6e74e33240f47..4a6eb6de3b083998f7534e7914ea8f1d395aaaba 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -793,7 +793,9 @@ void rxe_qp_destroy(struct rxe_qp *qp)
        rxe_cleanup_task(&qp->comp.task);
 
        /* flush out any receive wr's or pending requests */
-       __rxe_do_task(&qp->req.task);
+       if (qp->req.task.func)
+               __rxe_do_task(&qp->req.task);
+
        if (qp->sq.queue) {
                __rxe_do_task(&qp->comp.task);
                __rxe_do_task(&qp->req.task);