[PATCH] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

Next message: Baolu Lu: "Re: [PATCH rc v7 3/6] iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()"
Previous message: Mukesh Kumar Chaurasiya (IBM): "[PATCH V13 4/7] rust/powerpc: Set min rustc version for powerpc"
Next in thread: Jason Gunthorpe: "Re: [PATCH] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Fri Apr 24 2026 - 01:52:12 EST

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1
to devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already
initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or
ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup()
dereferences the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same `goto unlock` in the s1 failure path.

Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/infiniband/hw/mlx5/main.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index 635002e684a5..356a7c7856e7 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -3380,6 +3380,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev)
"Couldn't create SRQ 1 for res init, err=%pe\n",
s1);
ib_destroy_srq(s0);
+ goto unlock;
}

devr->s0 = s0;

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260424-fixes-8bbfee568617

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>