In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Set send and receive CQ before forwarding to the driver
Preset both receive and send CQ pointers prior to call to the drivers and overwrite it later again till the mlx4 is going to be changed do not overwrite ibqp properties.
This change is needed for mlx5, because in case of QP creation failure, it will go to the path of QP destroy which relies on proper CQ pointers.
BUG: KASAN: use-after-free in createqp.cold+0x164/0x16e [mlx5ib] Write of size 8 at addr ffff8880064c55c0 by task a.out/246
CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dumpstacklvl+0x45/0x59 printaddressdescription.constprop.0+0x1f/0x140 kasanreport.cold+0x83/0xdf createqp.cold+0x164/0x16e [mlx5ib] mlx5ibcreateqp+0x358/0x28a0 [mlx5ib] createqp.part.0+0x45b/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64afterhwframe+0x44/0xae
Allocated by task 246: kasansavestack+0x1b/0x40 _kasankmalloc+0xa4/0xd0 createqp.part.0+0x92/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64after_hwframe+0x44/0xae
Freed by task 246: kasansavestack+0x1b/0x40 kasansettrack+0x1c/0x30 kasansetfreeinfo+0x20/0x30 _kasanslabfree+0x10c/0x150 slabfreefreelisthook+0xb4/0x1b0 kfree+0xe7/0x2a0 createqp.part.0+0x52b/0x6a0 [ibcore] ibcreateqpuser+0x97/0x150 [ibcore] ibuverbshandlerUVERBSMETHODQPCREATE+0x92c/0x1250 [ibuverbs] ibuverbscmdverbs+0x1c38/0x3150 [ibuverbs] ibuverbsioctl+0x169/0x260 [ibuverbs] _x64sysioctl+0x866/0x14d0 dosyscall64+0x3d/0x90 entrySYSCALL64afterhwframe+0x44/0xae