From nobody Mon Jun 8 06:36:51 2026 Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 03D54394783 for ; Mon, 1 Jun 2026 10:54:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780311254; cv=none; b=e1872PGT7hrsJVLw8/yo+cGlmL06LcmWGPGN+R6NYXvdsE2DhyXZd2bXAL1o8ZzORzvGpgzZPHh4vqbwhBXZNlZEwVkVxZvAfxj6NduooKFcNCmAzffjF2udBDnlTUs1nf/Hw1R/Lqc1S7gbrNSTup0JqZ3sslxr1lUr45+SfqM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780311254; c=relaxed/simple; bh=aBqwRcjjrirAEQcYUzGrlCWqcSI+0qm6EGsqltY6yx8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Yb5nci8loa2L/pEbglAqjQJXbo/dUosBDbRdUF59QWCaxXb1Zc9aH+cWKIHE3Qr/q+GoY/Ac3tvjjP6FCNZDCiKwi1yBaz21obZUkAxMH09ePGad3irIwGZIIewVUAoLHNrtalIERKl7IKpym30uWmZw5Ojo2zZq7GfzJWvrlGc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YMtAkGfh; arc=none smtp.client-ip=209.85.208.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YMtAkGfh" Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-39677c434efso14224151fa.3 for ; Mon, 01 Jun 2026 03:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780311251; x=1780916051; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lFXg3u3Hl1xsWJNPPj6ianatRb4V7SHTMso00cbxCeY=; b=YMtAkGfhBSUTJtXvRvAmSFQtqkI4LW5g2KiGEicDsLCdw5BQ6QWD9cLLapBuxjPP0+ xHTECCMQ2d8Tc2cuY3/qGoHJt90mHvpkbsft3Gh5pGNn87zQPD2JgfSaZBXWbcSlukBS MLIhWYNy/GaZqbjMJ8Dx8ye5XmoJTABWe1yPdofQhw/7PXKOO3iqxUDoI1K/XVwNe5PW kk0jLSQpq5LEfWvYZuCxSa54mM8FZgUERQP96Y94yM3MfcqbOP5NQrF4yaJH8Fc6gMdU AvgEXpWj7GCsX1krCIcg4dOf3p33qMqPaHc1g4y4g5JxvfSt+IOtVDwuUrnXviIXn79+ 3HAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780311251; x=1780916051; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=lFXg3u3Hl1xsWJNPPj6ianatRb4V7SHTMso00cbxCeY=; b=EtxnZU1EBiIr5zdxQnEfJ8o4mRdlEwnMJIKuhLAq46gHkWg1gFqPguq+OwjwbL6wIB w8S1JF+YW4hjmXevGEBI0V0ON8lFaLyFZfRnbfHk4frBwglUkVAOQhIUJRktdkw0bdG5 DuY5e1SYXrNYP8NKWDisIC7KyI5GmdQPUoo3p3tCDp9DLZSWx0fS39wwSHRXqtx1+6Kn aNQp0Dre+SHJKPfGL/CUtN22MmzhFBeGxDpV1Rtd7dgzc9p1GJCqavMm7XGpFHu3lKG/ iawJXL9oiWJpuZjNFnlJWE35dW9nC2EjQdht6QuJYq2GaFOKV4ZDK5jeQhO11NtgC2pA kheQ== X-Forwarded-Encrypted: i=1; AFNElJ+OAh1IKDgcuoB3lcDqAdB0EZllUyGl+5syLpRiYCg+wAI+Yk+mcNCO7S+rRXJwIvarmouN7cUTR7GzJRw=@vger.kernel.org X-Gm-Message-State: AOJu0Ywv/cFgqKL2FRIdBF4BPRkM1P3MVrGjntHZC/gTQD+iIR35um9t kU72RaK12p6OrZzZmmQlmL4tGRFbiGpAplXSfju6GL2yH3L2jVZdOLaz2ufkqJhZczY= X-Gm-Gg: Acq92OFmtHLyIzRZ6Gohmf//Vwe2c7DL+LiHQTjgXnAmquz4M5mPyPxtmf/wFqTYnGs gSmoJJFEDHVOfHq8cxskqwiLlB0/8DXkz1VNlnz+01JJyEL+SlP0rZ9SnETSsNJknRWaG/a7pO0 OJ8TRmXtsS1QBK2j6MXT1a9stOPkurkwrB6+QcPDf3MaIqtqyNojE4jcqYFgI7Gm7zHvUOzFNrr XhIA58sLixk0cGmSV9bZ81v8z7QHCzZVNQDlIU7BujZGf5Wx8MErzQ6r1IM939DbagepMR7i8Ui aDDSmB0//B8DnJqGnNtYkS2hLxvpCEtOi39OBatNQwIY+g8B6uKenIk+yOJ+7NzjAGwg3Az4dhl pWFbG/ahz1FK0GG/PelfEYlTT9SjRBCnLsapICEfC9BP9dEOPxPZGcD1Sgs5h9GHh9KaXu1ob1J /FfXMEsAhrgNneOmN7ddwoa65bg0s5GEIUgo1Ph4cTQKNE7bmLKeeaDkRgSUy4l3roAuiSxbE6P oeRQ0I= X-Received: by 2002:a05:651c:4419:10b0:395:fded:ee35 with SMTP id 38308e7fff4ca-39664e39419mr20850381fa.3.1780311251119; Mon, 01 Jun 2026 03:54:11 -0700 (PDT) Received: from c0624c666cc5.devsec.astralinux.ru ([93.188.205.42]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-3967a2e7abcsm10381351fa.8.2026.06.01.03.54.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2026 03:54:10 -0700 (PDT) From: Vladislav Nikolaev To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Vladislav Nikolaev , Zhu Yanjun , Doug Ledford , Jason Gunthorpe , Haggai Eran , Kamal Heib , Amir Vadai , Moni Shoua , Yonatan Cohen , Leon Romanovsky , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, Zhu Yanjun , lvc-project@linuxtesting.org, syzbot+cfcc1a3c85be15a40cba@syzkaller.appspotmail.com, Zhu Yanjun Subject: [PATCH 5.10/5.15] RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task" Date: Mon, 1 Jun 2026 13:52:32 +0300 Message-ID: <20260601105336.3023-1-vlad102nikolaev@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zhu Yanjun commit b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad upstream. In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like rxe_init_task are not setup until rxe_qp_init_req(). If an error occurred before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. If rxe_init_task is not executed, rxe_cleanup_task will not be called. Reported-by: syzbot+cfcc1a3c85be15a40cba@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=3Dfd85757b74b3eb59f904138486f755= f71e090df8 Fixes: 8700e3e7c485 ("Soft RoCE driver") Fixes: 2d4b21e0a291 ("IB/rxe: Prevent from completer to operate on non vali= d QP") Signed-off-by: Zhu Yanjun Link: https://lore.kernel.org/r/20230413101115.1366068-1-yanjun.zhu@intel.c= om Signed-off-by: Leon Romanovsky Signed-off-by: Vladislav Nikolaev --- Backport fix for CVE-2023-54028 drivers/infiniband/sw/rxe/rxe_qp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe= /rxe_qp.c index 13b237d93a61..687d4419388f 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -785,8 +785,11 @@ void rxe_qp_destroy(struct rxe_qp *qp) del_timer_sync(&qp->rnr_nak_timer); } =20 - rxe_cleanup_task(&qp->req.task); - rxe_cleanup_task(&qp->comp.task); + if (qp->req.task.func) + rxe_cleanup_task(&qp->req.task); + + if (qp->comp.task.func) + rxe_cleanup_task(&qp->comp.task); =20 /* flush out any receive wr's or pending requests */ if (qp->req.task.func) --=20 2.47.3