From: Jason Gunthorpe <jgg@nvidia.com>
To: <trix@redhat.com>
Cc: <selvin.xavier@broadcom.com>, <devesh.sharma@broadcom.com>,
<dledford@redhat.com>, <leon@kernel.org>, <maxg@mellanox.com>,
<galpress@amazon.com>, <michaelgur@nvidia.com>,
<monis@mellanox.com>, <gustavoars@kernel.org>,
<linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()
Date: Thu, 7 Jan 2021 16:41:02 -0400 [thread overview]
Message-ID: <20210107204102.GA933840@nvidia.com> (raw)
In-Reply-To: <20201230024653.1516495-1-trix@redhat.com>
On Tue, Dec 29, 2020 at 06:46:53PM -0800, trix@redhat.com wrote:
> From: Tom Rix <trix@redhat.com>
>
> In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
> the variable pd and then after uctx->cntxt_pd is freed, the
> variable pd is passed to function _ocrdma_dealloc_pd() which
> dereferences pd directly or through its call to
> ocrdma_mbx_dealloc_pd().
>
> Reorder the free using the variable pd.
>
> Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
> Signed-off-by: Tom Rix <trix@redhat.com>
> drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-rc
Is anyone testing ocrdma? Just doing the pyverbs rdma tests with kasn
turned on would have instantly caught this, and the change is nearly a
year old.
Is ocrdma obsolete enough we can delete the driver?
Thanks,
Jason
next prev parent reply other threads:[~2021-01-07 20:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 2:46 [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd() trix
2020-12-30 5:31 ` Leon Romanovsky
2021-01-07 20:41 ` Jason Gunthorpe [this message]
2021-01-07 21:43 ` Tom Rix
2021-01-11 18:09 ` Selvin Xavier
2021-01-11 18:09 ` Selvin Xavier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210107204102.GA933840@nvidia.com \
--to=jgg@nvidia.com \
--cc=devesh.sharma@broadcom.com \
--cc=dledford@redhat.com \
--cc=galpress@amazon.com \
--cc=gustavoars@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=maxg@mellanox.com \
--cc=michaelgur@nvidia.com \
--cc=monis@mellanox.com \
--cc=selvin.xavier@broadcom.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.