ibcore: Fix a race with disassociate and exit_mmap()
If uverbs_user_mmap_disassociate() is called while the mmap is concurrently doing exit_mmap then the ordering of the rdma_user_mmap_entry_put() is not reliable. The put must be done before uvers_user_mmap_disassociate() returns, otherwise there can be a use after free on the ucontext, and a left over entry in the xarray. If the put is not done here then it is done during rdma_umap_close() later. Add the missing put to the error exit path. Linux commit: 39c011a538272589b9eb02ff1228af528522a22c PR: 264473 MFC after: 3 days Sponsored by: NVIDIA Networking
This commit is contained in:
parent
55d1833671
commit
9fc6a63522
@ -778,6 +778,10 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
|
|||||||
ret = mmget_not_zero(mm);
|
ret = mmget_not_zero(mm);
|
||||||
if (!ret) {
|
if (!ret) {
|
||||||
list_del_init(&priv->list);
|
list_del_init(&priv->list);
|
||||||
|
if (priv->entry) {
|
||||||
|
rdma_user_mmap_entry_put(priv->entry);
|
||||||
|
priv->entry = NULL;
|
||||||
|
}
|
||||||
mm = NULL;
|
mm = NULL;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user