On Fri, Jun 01, 2018 at 11:31:44AM -0700, Cong Wang wrote:
> ucma_process_join() will free the new allocated "mc" struct,
> if there is any error after that, especially the copy_to_user().
>
> But in parallel, ucma_leave_multicast() could find this "mc"
> through idr_find() before ucma_process_join() frees it, since it
> is already published.
>
> So "mc" could be used in ucma_leave_multicast() after it is been
> allocated and freed in ucma_process_join(), since we don't refcnt
> it.
>
> Fix this by separating "publish" from ID allocation, so that we
> can get an ID first and publish it later after copy_to_user().
>
> Fixes c8f6a362bf3e ("RDMA/cma: Add multicast communication support")
> Reported-by: Noam Rathaus <noamr@xxxxxxxxxxxxxxxxxx>
> Cc: Sean Hefty <sean.hefty@xxxxxxxxx>
> Cc: Doug Ledford <dledford@xxxxxxxxxx>
> Cc: Jason Gunthorpe <jgg@xxxxxxxx>
> Cc: linux-rdma@xxxxxxxxxxxxxxx
> Signed-off-by: Cong Wang <xiyou.wangcong@xxxxxxxxx>
> ---
> drivers/infiniband/core/ucma.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
Looks good to me, and we already fixed the same sort of bug in the
non-multicast IDs.. Applied to for-next
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
