librdmacm: prevent NULL pointer access during device initialization

When an RNIC with node_guid 0 is present, rdma_resolve_addr succeeds with ADDR_RESOLVED but subsequent device initialization can fail. This occurs because ucma_query_addr and ucma_query_route skip device initialization when the kernel returns a zero node_guid, leading to NULL pointer access in ucma_process_addr_resolved. Add explicit NULL checks for id->verbs after ucma_query_addr and ucma_query_route calls. Return ENODEV error if device initialization fails, ensuring proper error propagation instead of crashes. Note: ucma_query_addr must still return success in this case as it's used for probing AF_IB support, which intentionally skips device initialization. Fixes: 7162325 ("librdmacm: replace query_route call with separate queries") Signed-off-by: Luke Yue <[email protected]>
linux-rdma · Jan 28, 2025 · 4182dc8 · 4182dc8
1 parent c53e4b9
commit 4182dc8
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/librdmacm/cma.c b/librdmacm/cma.c
@@ -2252,17 +2252,30 @@ int rdma_ack_cm_event(struct rdma_cm_event *event)
 
 static void ucma_process_addr_resolved(struct cma_event *evt)
 {
+	struct rdma_cm_id *id = &evt->id_priv->id;
+
 	if (af_ib_support) {
-		evt->event.status = ucma_query_addr(&evt->id_priv->id);
+		evt->event.status = ucma_query_addr(id);
+		if (!evt->event.status && !id->verbs)
+			goto err_dev;
+
 		if (!evt->event.status &&
-		    evt->id_priv->id.verbs->device->transport_type == IBV_TRANSPORT_IB)
-			evt->event.status = ucma_query_gid(&evt->id_priv->id);
+		    id->verbs->device->transport_type == IBV_TRANSPORT_IB) {
+			evt->event.status = ucma_query_gid(id);
+		}
 	} else {
-		evt->event.status = ucma_query_route(&evt->id_priv->id);
+		evt->event.status = ucma_query_route(id);
+		if (!evt->event.status && !id->verbs)
+			goto err_dev;
 	}
 
 	if (evt->event.status)
 		evt->event.event = RDMA_CM_EVENT_ADDR_ERROR;
+	return;
+
+err_dev:
+	evt->event.status = ERR(ENODEV);
+	evt->event.event = RDMA_CM_EVENT_ADDR_ERROR;
 }
 
 static void ucma_process_route_resolved(struct cma_event *evt)