Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()

From: Jason Gunthorpe
Date: Thu Jan 07 2021 - 15:42:07 EST

Next message: Arnd Bergmann: "Re: [PATCH] ubsan: disable unsigned-integer-overflow sanitizer with clang"
Previous message: Jason Gunthorpe: "Re: [PATCH] RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp"
Next in thread: Tom Rix: "Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 29, 2020 at 06:46:53PM -0800, trix@xxxxxxxxxx wrote:
> From: Tom Rix <trix@xxxxxxxxxx>
>
> In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to
> the variable pd and then after uctx->cntxt_pd is freed, the
> variable pd is passed to function _ocrdma_dealloc_pd() which
> dereferences pd directly or through its call to
> ocrdma_mbx_dealloc_pd().
>
> Reorder the free using the variable pd.
>
> Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
> Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
> drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Applied to for-rc

Is anyone testing ocrdma? Just doing the pyverbs rdma tests with kasn
turned on would have instantly caught this, and the change is nearly a
year old.

Is ocrdma obsolete enough we can delete the driver?

Thanks,
Jason

Next message: Arnd Bergmann: "Re: [PATCH] ubsan: disable unsigned-integer-overflow sanitizer with clang"
Previous message: Jason Gunthorpe: "Re: [PATCH] RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp"
Next in thread: Tom Rix: "Re: [PATCH] RDMA/ocrdma: fix use after free in ocrdma_dealloc_ucontext_pd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]