Merge: irdma: free iwdev->rf after removing MSI-X

MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-9/-/merge_requests/4402

JIRA: https://issues.redhat.com/browse/RHEL-95816
JIRA: https://issues.redhat.com/browse/RHEL-103278

commit 80f2ab4
Author: Michal Swiatkowski <[email protected]>
Date:   Mon Apr 14 18:42:30 2025 -0500

    irdma: free iwdev->rf after removing MSI-X

    Currently iwdev->rf is allocated in irdma_probe(), but free in
    irdma_ib_dealloc_device(). It can be misleading. Move the free to
    irdma_remove() to be more obvious.

    Freeing in irdma_ib_dealloc_device() leads to KASAN use-after-free
    issue. Which can also lead to NULL pointer dereference. Fix this.

    irdma_deinit_interrupts() can't be moved before freeing iwdef->rf,
    because in this case deinit interrupts will be done before freeing irqs.
    The simplest solution is to move kfree(iwdev->rf) to irdma_remove().

    Reproducer:
      sudo rmmod irdma

    Minified splat(s):
      BUG: KASAN: use-after-free in irdma_remove+0x257/0x2d0 [irdma]
      Call Trace:
       <TASK>
       ? __pfx__raw_spin_lock_irqsave+0x10/0x10
       ? kfree+0x253/0x450
       ? irdma_remove+0x257/0x2d0 [irdma]
       kasan_report+0xed/0x120
       ? irdma_remove+0x257/0x2d0 [irdma]
       irdma_remove+0x257/0x2d0 [irdma]
       auxiliary_bus_remove+0x56/0x80
       device_release_driver_internal+0x371/0x530
       ? kernfs_put.part.0+0x147/0x310
       driver_detach+0xbf/0x180
       bus_remove_driver+0x11b/0x2a0
       auxiliary_driver_unregister+0x1a/0x50
       irdma_exit_module+0x40/0x4c [irdma]

      Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      RIP: 0010:ice_free_rdma_qvector+0x2a/0xa0 [ice]
      Call Trace:
       ? ice_free_rdma_qvector+0x2a/0xa0 [ice]
       irdma_remove+0x179/0x2d0 [irdma]
       auxiliary_bus_remove+0x56/0x80
       device_release_driver_internal+0x371/0x530
       ? kobject_put+0x61/0x4b0
       driver_detach+0xbf/0x180
       bus_remove_driver+0x11b/0x2a0
       auxiliary_driver_unregister+0x1a/0x50
       irdma_exit_module+0x40/0x4c [irdma]

    Reported-by: Marcin Szycik <[email protected]>
    Closes: https://lore.kernel.org/netdev/[email protected]/
    Fixes: 3e0d3cb ("ice, irdma: move interrupts code to irdma")
    Reviewed-by: Marcin Szycik <[email protected]>
    Signed-off-by: Michal Swiatkowski <[email protected]>
    Signed-off-by: Tatyana Nikolova <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Leon Romanovsky <[email protected]>

Signed-off-by: Kamal Heib <[email protected]>

Approved-by: Michal Schmidt <[email protected]>
Approved-by: mheib <[email protected]>
Approved-by: Jay Shin <[email protected]>
Approved-by: CKI KWF Bot <[email protected]>

Merged-by: Augusto Caringi <[email protected]>

Author: caringi

drivers/infiniband/hw/irdma/main.c

@@ -255,6 +255,8 @@ static void irdma_remove(struct auxiliary_device *aux_dev)
 	ice_rdma_update_vsi_filter(pf, iwdev->vsi_num, false);
 	irdma_deinit_interrupts(iwdev->rf, pf);
 
+	kfree(iwdev->rf);
+
 	pr_debug("INIT: Gen2 PF[%d] device remove success\n", PCI_FUNC(pf->pdev->devfn));
 }
 

drivers/infiniband/hw/irdma/verbs.c

@@ -4871,5 +4871,4 @@ void irdma_ib_dealloc_device(struct ib_device *ibdev)
 
 	irdma_rt_deinit_hw(iwdev);
 	irdma_ctrl_deinit_hw(iwdev->rf);
-	kfree(iwdev->rf);
 }