From nobody Mon Jun 8 06:36:47 2026 Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 704883CF02C for ; Wed, 3 Jun 2026 12:19:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780489155; cv=none; b=abpO/+x2ZiBVGfwLSAkwsKPlRiJxL1rt+4dTB9HjcXkaWpIJL9kwsWEk7Zxb1zwyPiFk/pQq2Z1+8IwkQXwPjOivcNTaWGIuXKZo2B3TlvchGEdF9ihQLJ0E3juH4TcON8s9nEVPPB1glc26/6xjqhp2yprGS8TGSp4X4Jz5eb4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780489155; c=relaxed/simple; bh=WGZxmN+LhA1/CrDAqVpmyUdBdPA47xdXFTjhbPAJrnY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iNSZrsiMHKYMLx1BW01dUE+K/Nu2XZKjaQgQbfez62NdpkuADmif+edI86Rl2xCYYdr+ZrqdIOfpNFramU15Lr6eZ/9ci7wNk22YBQ1YGovv97jJamMGluGLDAEj3mcRLoi3DXyHPgj/TQMH4b4DAOyIqSZ/YaoceanOhCfefZ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ePxJFM2u; arc=none smtp.client-ip=209.85.167.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ePxJFM2u" Received: by mail-lf1-f47.google.com with SMTP id 2adb3069b0e04-5aa624ff3cbso4400234e87.3 for ; Wed, 03 Jun 2026 05:19:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780489151; x=1781093951; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=51Q12HcwJac0a3/dr9D2JQ4mIHf+pK3eMABlg1vA4ao=; b=ePxJFM2uEGbIce0d5Vke8FQ1zpC+vp4eMPwzLTSc8wCw5n8ssvS4HhV1iXbHGoQV20 +txL4VIEBKwGSC9Db5XtN0d1KfQ568sYYCW4hh8FM5bpg9gZv/DilOoKy9KSEB/4ZJbQ eKRqA6X1trXeaP2zlq4YlUL4HeHxJ9KYHrdrq07hHOn/sC9kn+OJW8ams2Sbav69QZzt J4El+bqlurDB/SFwfJca5Wi9DsEF15A6TwO1HKZ5vLX1j+wARdbAG4CNybfTHeTN3UWk 19G5eM4dLp2+b8MMik5gr7BJotWechHALaE2Dpn6lnt7UiEny6RhtEy7e7gOC8TRPv1U AgQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780489151; x=1781093951; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=51Q12HcwJac0a3/dr9D2JQ4mIHf+pK3eMABlg1vA4ao=; b=pepLBl5/R+eDZNyIR7mlFrasvkHSLjebkJcFdXv/hSawRs1zslveGiUCBd1sgAyVtI 3+5dm/SB37zIf8iRoJCKybPFiKWhgOHwgl/G2hBjMjBtkun6vFKlC+++Ua4oFOqyodzY jnPwGS1WDiJBURF8czu285PQfw/jGgoGzsbwTWI9BWblzACe87hX7KfmLGpI1c3k0fZv T+LMNBd8Hec5eca0kjZI7NKMod3zPBLnN0sSVwcKHXXzAPhJ8atfOFlwrhpnuwypx0yU JpsIcM0JYUWMDHet4Y7OFd6ke92s9j+xdR8aaXZrlPr6do+TOlB1laE2LDdZOMjwSRin wYkQ== X-Forwarded-Encrypted: i=1; AFNElJ+I4VaKif1jcZey4Sgfr5uBMEI059eaC/0yeTsgB6Pur4zb9n72ojijU3q0oYUClCGCcksijmzl1HyPsn0=@vger.kernel.org X-Gm-Message-State: AOJu0YxZe8VoSvCa1y+N49Ryjx+q3BhuOjbcMUVSy/ifU+ZeeFbn2yOy 18LvGjZ9LolfU/TfUW2trQzY+1SdTl5bVY6a2ePVvOxfjR1r4ymVhUsc X-Gm-Gg: Acq92OGYj/iNZu5HlTyklq/q87wFCefD6aS2TLfPAedIsbMWxAQIIySflMQ8gERpOfi QdLWIxhkcE/i+4RDxfj11mm/BDc36v7gpyt/ZODu1U4EpEbO6ONrNonkp9Ik89EMsYMULRuaXnk 6dseC7su8zPd7W2dneKfmQ6DxIx1rXp+pxOdMHWDZoA4u0t6D2/TT6nkkWLK8HyV8rztKOS3XOY VaSKRzNSrw9fFyfV3ep5UZGcZ3BsMAI3vFdrDK2hnYdKWYkvrwwqNW8eilYRzTel044uE5ZTeuP cYveop2KWjDPoNhw/mJ47j2cGhTW7RVlqiit+mtm6fn52+hL2TBPyw4aMPTBwxVb2KqbsQPOJWn pb83m26EFj66GrhmmC7bJFTjjg1TxfQYKkQW8DukYOGsNHdGuxRNn0Mu7pJ0f1cB8ESshhvHDuF SgiQS6JcygK9GmqnhxZL+2VayVR6eeu/QDxFs9dI3cf+wGcsirw8TSYoP/xlMTYW1Ce7+S X-Received: by 2002:a05:6512:65c5:20b0:5aa:6586:ce37 with SMTP id 2adb3069b0e04-5aa7c1510eemr847865e87.44.1780489151196; Wed, 03 Jun 2026 05:19:11 -0700 (PDT) Received: from c0624c666cc5.devsec.astralinux.ru ([93.188.205.42]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5aa7b8ed659sm620125e87.12.2026.06.03.05.19.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jun 2026 05:19:10 -0700 (PDT) From: Vladislav Nikolaev To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Vladislav Nikolaev , Zhu Yanjun , Doug Ledford , Jason Gunthorpe , Haggai Eran , Kamal Heib , Amir Vadai , Moni Shoua , Yonatan Cohen , Leon Romanovsky , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, Zhu Yanjun , lvc-project@linuxtesting.org, syzbot+cfcc1a3c85be15a40cba@syzkaller.appspotmail.com, Zhu Yanjun Subject: [PATCH v2 5.10/5.15] RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task" Date: Wed, 3 Jun 2026 15:18:45 +0300 Message-ID: <20260603121902.274-1-vlad102nikolaev@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zhu Yanjun commit b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad upstream. In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like rxe_init_task are not setup until rxe_qp_init_req(). If an error occurred before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. If rxe_init_task is not executed, rxe_cleanup_task will not be called. Reported-by: syzbot+cfcc1a3c85be15a40cba@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=3Dfd85757b74b3eb59f904138486f755= f71e090df8 Fixes: 8700e3e7c485 ("Soft RoCE driver") Fixes: 2d4b21e0a291 ("IB/rxe: Prevent from completer to operate on non vali= d QP") Signed-off-by: Zhu Yanjun Link: https://lore.kernel.org/r/20230413101115.1366068-1-yanjun.zhu@intel.c= om Signed-off-by: Leon Romanovsky [ Vladislav: match upstream cleanup order and add the missing resp.task.func check. ] Signed-off-by: Vladislav Nikolaev --- v2: Move rxe_cleanup_task(&qp->resp.task) after RC timer cleanup. Add missing qp->resp.task.func check before cleaning up the responder task. Backport fix for CVE-2023-54028. drivers/infiniband/sw/rxe/rxe_qp.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe= /rxe_qp.c index 4c938d841f76..616efae0c09a 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -760,15 +760,20 @@ void rxe_qp_destroy(struct rxe_qp *qp) { qp->valid =3D 0; qp->qp_timeout_jiffies =3D 0; - rxe_cleanup_task(&qp->resp.task); =20 if (qp_type(qp) =3D=3D IB_QPT_RC) { del_timer_sync(&qp->retrans_timer); del_timer_sync(&qp->rnr_nak_timer); } =20 - rxe_cleanup_task(&qp->req.task); - rxe_cleanup_task(&qp->comp.task); + if (qp->resp.task.func) + rxe_cleanup_task(&qp->resp.task); +=09 + if (qp->req.task.func) + rxe_cleanup_task(&qp->req.task); + + if (qp->comp.task.func) + rxe_cleanup_task(&qp->comp.task); =20 /* flush out any receive wr's or pending requests */ if (qp->req.task.func) --=20 2.39.5