RDMA/core: Fix memory free for GID table

When removing a RXE device, kernel oops:

    RIP: 0010:free_large_kmalloc+0xf6/0x140
    Code: 75 28 0f 0b 44 0f b6 2d a5 d6 d1 01 41 80 fd 01 0f 87 7c d1 ad ff 41 83 e5 01 74 3d 41 bc 00 f0 ff ff 45 31 ed e9 61 ff ff ff <0f> 0b 48 c7 c6 af b1 70 83 48 89 df e8 79 0a fa ff 5b 41 5c 41 5d
    RSP: 0018:ffffd038c18074d8 EFLAGS: 00010293
    RAX: 0017ffffc0000000 RBX: fffff86984219d00 RCX: 0000000000000000
    RDX: 00000000000000f0 RSI: ffff899b88674000 RDI: fffff86984219d00
    RBP: ffffd038c18074f0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: ffff899b88674000
    R13: 0000000000000001 R14: ffff899b88674000 R15: ffff899b86180000
    FS:  00007b163c71c740(0000) GS:ffff899c378bf000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007b163c730200 CR3: 0000000106a1d000 CR4: 0000000000350ef0
    Call Trace:
     <TASK>
     kfree+0x163/0x3a0
     gid_table_release_one+0xaf/0xf0 [ib_core]
     ib_cache_release_one+0x66/0x80 [ib_core]
     ib_device_release+0x48/0xb0 [ib_core]
     device_release+0x44/0xa0
     kobject_put+0x9b/0x250
     put_device+0x13/0x30
     ib_unregister_device_and_put+0x40/0x60 [ib_core]
     nldev_dellink+0xd3/0x140 [ib_core]
     rdma_nl_rcv_msg+0x11d/0x300 [ib_core]
     ? netlink_bind+0x141/0x3a0
     rdma_nl_rcv_skb.constprop.0.isra.0+0xba/0x110 [ib_core]
     rdma_nl_rcv+0xe/0x20 [ib_core]
     netlink_unicast+0x28d/0x3e0
     netlink_sendmsg+0x214/0x470
     __sys_sendto+0x21f/0x230
     __x64_sys_sendto+0x24/0x40
     x64_sys_call+0x1888/0x26e0
     do_syscall_64+0xcb/0x14d0
     ? _copy_from_user+0x27/0x70
     ? do_sock_setsockopt+0xbd/0x190
     ? __sys_setsockopt+0x72/0xd0
     ? __x64_sys_setsockopt+0x1f/0x40
     ? x64_sys_call+0x221b/0x26e0
     ? do_syscall_64+0x109/0x14d0
     ? exc_page_fault+0x92/0x1c0
     entry_SYSCALL_64_after_hwframe+0x76/0x7e

GID table is allocated by kzalloc_flex() instead of raw kzalloc_obj(),
kfree() should not be called on the data_vec flex array.

Fixes: cef2842c922c ("RDMA/core: Use kzalloc_flex for GID table")
Link: https://patch.msgid.link/r/20260406132830.435381-2-zhenwei.pi@linux.dev
Reported-by: syzbot+4334f9a250019c1b79b4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/69cc35ec.a70a0220.97f31.02a2.GAE@google.com
Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index 896486fa6185833e4b470e9d18501a3b116211fd..647a547e2d7fb20721ed5fecdccd723891ba2ef2 100644 (file)
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -801,7 +801,6 @@ static void release_gid_table(struct ib_device *device,
        }
 
        mutex_destroy(&table->lock);
-       kfree(table->data_vec);
        kfree(table);
 }