d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ibcore: Fix a race with disassociate and exit_mmap()

Browse Source 
If uverbs_user_mmap_disassociate() is called while the mmap is
concurrently doing exit_mmap then the ordering of the
rdma_user_mmap_entry_put() is not reliable.

The put must be done before uvers_user_mmap_disassociate() returns,
otherwise there can be a use after free on the ucontext, and a left over
entry in the xarray. If the put is not done here then it is done during
rdma_umap_close() later.

Add the missing put to the error exit path.

Linux commit:
39c011a538272589b9eb02ff1228af528522a22c

PR:		264473
MFC after:	3 days
Sponsored by:	NVIDIA Networking
This commit is contained in:
Hans Petter Selasky 2022-06-21 11:23:55 +02:00
parent 55d1833671
commit 9fc6a63522
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
View File

@ -778,6 +778,10 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
ret = mmget_not_zero(mm);
if (!ret) {
list_del_init(&priv->list);
if (priv->entry) {
rdma_user_mmap_entry_put(priv->entry);
priv->entry = NULL;
}
mm = NULL;
continue;
}