RDMA/irdma: Prevent QP use after free

author Mustafa Ismail <mustafa.ismail@intel.com>

Mon, 22 May 2023 15:56:53 +0000 (10:56 -0500)

committer Jason Gunthorpe <jgg@nvidia.com>

Mon, 29 May 2023 17:06:29 +0000 (14:06 -0300)
author Mustafa Ismail <mustafa.ismail@intel.com>
Mon, 22 May 2023 15:56:53 +0000 (10:56 -0500)
committer Jason Gunthorpe <jgg@nvidia.com>
Mon, 29 May 2023 17:06:29 +0000 (14:06 -0300)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c

index ab5cdf78278521123c92f8ff4482144797b765f6..68ce3cd400029d6d146e8b01941bec5a5920d3ef 100644 (file)
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -522,11 +522,6 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
         if (!iwqp->user_mode)
                 cancel_delayed_work_sync(&iwqp->dwork_flush);
  
-       irdma_qp_rem_ref(&iwqp->ibqp);
-       wait_for_completion(&iwqp->free_qp);
-       irdma_free_lsmm_rsrc(iwqp);
-       irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
-
         if (!iwqp->user_mode) {
                 if (iwqp->iwscq) {
                         irdma_clean_cqes(iwqp, iwqp->iwscq);
@@ -534,6 +529,12 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
                                 irdma_clean_cqes(iwqp, iwqp->iwrcq);
                 }
         }
+
+       irdma_qp_rem_ref(&iwqp->ibqp);
+       wait_for_completion(&iwqp->free_qp);
+       irdma_free_lsmm_rsrc(iwqp);
+       irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp);
+
         irdma_remove_push_mmap_entries(iwqp);
         irdma_free_qp_rsrc(iwqp);
author	Mustafa Ismail <mustafa.ismail@intel.com>
	Mon, 22 May 2023 15:56:53 +0000 (10:56 -0500)
committer	Jason Gunthorpe <jgg@nvidia.com>
	Mon, 29 May 2023 17:06:29 +0000 (14:06 -0300)