On 6/1/23 12:33, Jason Gunthorpe wrote:
> On Wed, May 17, 2023 at 04:15:10PM -0500, Bob Pearson wrote:
>> There is a reference count error in error path code and a
>> potential race in check_rkey() in rxe_resp.c. When looking
>> up the rkey for a memory window the reference to the mw from
>> rxe_lookup_mw() is dropped before a reference is taken on the
>> mr referenced by the mw. If the mr is destroyed immediately
>> after the call to rxe_put(mw) the mr pointer is unprotected
>> and may end up pointing at freed memory. The rxe_get(mr) call
>> should take place before the rxe_put(mw) call.
>>
>> All errors in check_rkey() call rxe_put(mw) if mw is not NULL
>> but it was already called after the above. The mw pointer
>> should be set to NULL after the rxe_put(mw) call to prevent
>> this from happening.
>>
>> This patch corrects these errors.
>>
>> Fixes: cdd0b85675ae ("RDMA/rxe: Implement memory access through MWs")
>> Signed-off-by: Bob Pearson <rpearsonhpe@xxxxxxxxx>
>> ---
>> drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> Applied to for-rc, thanks
>
> Jason
thanks
