ibcore: Fix a race with disassociate and exit_mmap()
If uverbs_user_mmap_disassociate() is called while the mmap is concurrently doing exit_mmap then the ordering of the rdma_user_mmap_entry_put() is not reliable. The put must be done before uvers_user_mmap_disassociate() returns, otherwise there can be a use after free on the ucontext, and a left over entry in the xarray. If the put is not done here then it is done during rdma_umap_close() later. Add the missing put to the error exit path. Linux commit: 39c011a538272589b9eb02ff1228af528522a22c PR: 264473 MFC after: 3 days Sponsored by: NVIDIA Networking
This commit is contained in:
parent
55d1833671
commit
9fc6a63522
@ -778,6 +778,10 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
|
||||
ret = mmget_not_zero(mm);
|
||||
if (!ret) {
|
||||
list_del_init(&priv->list);
|
||||
if (priv->entry) {
|
||||
rdma_user_mmap_entry_put(priv->entry);
|
||||
priv->entry = NULL;
|
||||
}
|
||||
mm = NULL;
|
||||
continue;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user