Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e1bcfcaa authored by Roland Dreier's avatar Roland Dreier Committed by Linus Torvalds
Browse files

[PATCH] IB: fix use-after-free in user verbs cleanup 



Fix a use-after-free bug in userspace verbs cleanup: we can't touch
mr->device after we free mr by calling ib_dereg_mr().

Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 1c9cf6f9

drivers/infiniband/core/uverbs_main.c

+2 −1
Original line number Original line Diff line number Diff line
@@ -130,13 +130,14 @@ static int ib_dealloc_ucontext(struct ib_ucontext *context) 




	list_for_each_entry_safe(uobj, tmp, &context->mr_list, list) {

	list_for_each_entry_safe(uobj, tmp, &context->mr_list, list) {

		struct ib_mr *mr = idr_find(&ib_uverbs_mr_idr, uobj->id);

		struct ib_mr *mr = idr_find(&ib_uverbs_mr_idr, uobj->id);

		struct ib_device *mrdev = mr->device;

		struct ib_umem_object *memobj;

		struct ib_umem_object *memobj;





		idr_remove(&ib_uverbs_mr_idr, uobj->id);

		idr_remove(&ib_uverbs_mr_idr, uobj->id);

		ib_dereg_mr(mr);

		ib_dereg_mr(mr);





		memobj = container_of(uobj, struct ib_umem_object, uobject);

		memobj = container_of(uobj, struct ib_umem_object, uobject);

		ib_umem_release_on_close(mr->device, &memobj->umem);

		ib_umem_release_on_close(mrdev, &memobj->umem);





		list_del(&uobj->list);

		list_del(&uobj->list);

		kfree(memobj);

		kfree(memobj);