RDMA/iwcm: Fix iwcm work deallocation

BernardMetzler · jgunthorpe · commit 810dbc69087b · 2020-03-04T14:28:25.000-04:00
The dealloc_work_entries() function must update the work_free_list pointer while freeing its entries, since potentially called again on same list. A second iteration of the work list caused system crash. This happens, if work allocation fails during cma_iw_listen() and free_cm_id() tries to free the list again during cleanup. Fixes: 922a8e9 ("RDMA: iWARP Connection Manager.") Link: https://lore.kernel.org/r/20200302181614.17042-1-bmt@zurich.ibm.com Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
@@ -159,8 +159,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)
 {
 	struct list_head *e, *tmp;
 
-	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)
+	list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
+		list_del(e);
 		kfree(list_entry(e, struct iwcm_work, free_list));
+	}
 }
 
 static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)

Original file line number	Diff line number	Diff line change
`@@ -159,8 +159,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)`
`159`	`159`	`{`
`160`	`160`	`struct list_head e, tmp;`
`161`	`161`
`162`		`- list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)`
	`162`	`+ list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {`
	`163`	`+ list_del(e);`
`163`	`164`	`kfree(list_entry(e, struct iwcm_work, free_list));`
	`165`	`+ }`
`164`	`166`	`}`
`165`	`167`
`166`	`168`	`static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)`