Skip to content

Commit

Permalink
RDMA/ucma: Fix use-after-free access in ucma_close
Browse files Browse the repository at this point in the history 
commit ed65a4d upstream.

The error in ucma_create_id() left ctx in the list of contexts belong
to ucma file descriptor. The attempt to close this file descriptor causes
to use-after-free accesses while iterating over such list.

Fixes: 7521663 ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: <syzbot+dcfd344365a56fbebd0f@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@gregkh
Leon Romanovsky authored and gregkh committed Apr 8, 2018
1 parent c5f3efa commit 7b22ab5
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions drivers/infiniband/core/ucma.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -494,6 +494,9 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
mutex_lock(&mut);
idr_remove(&ctx_idr, ctx->id);
mutex_unlock(&mut);
mutex_lock(&file->mut);
list_del(&ctx->list);
mutex_unlock(&file->mut);
kfree(ctx);
return ret;
}
Expand Down

0 comments on commit 7b22ab5

Please sign in to comment.