ibcore: Fix use-after-free access in ucma_close()

The error in ucma_create_id() left ctx in the list of contexts belong to ucma file descriptor. The attempt to close this file descriptor causes to use-after-free accesses while iterating over such list. Linux commit: ed65a4dc22083e73bac599ded6a262318cad7baf PR: 264650 MFC after: 1 week Sponsored by: NVIDIA Networking
2022-06-13 16:55:14 +02:00 · 2022-06-13 16:55:14 +02:00 · 66a0bc2105
commit 66a0bc2105
parent e4d178d093
1 changed files with 3 additions and 0 deletions
--- a/sys/ofed/drivers/infiniband/core/ib_ucma.c
+++ b/sys/ofed/drivers/infiniband/core/ib_ucma.c
@ -508,6 +508,9 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
 	mutex_lock(&mut);
 	idr_remove(&ctx_idr, ctx->id);
 	mutex_unlock(&mut);
+	mutex_lock(&file->mut);
+	list_del(&ctx->list);
+	mutex_unlock(&file->mut);
 	kfree(ctx);
 	return ret;
 }