On Mon, Jan 13, 2020 at 02:33:10PM +0000, Jason Gunthorpe wrote: > After device disassociation the uapi_objects are destroyed and freed, > however it is still possible that core code can be holding a kref on the > uobject. When it finally goes to uverbs_uobject_free() via the kref_put() > it can trigger a use-after-free on the uapi_object. > > Since needs_kfree_rcu is a micro optimization that only benefits file > uobjects, just get rid of it. There is no harm in using kfree_rcu even if > it isn't required, and the number of involved objects is small. > > Signed-off-by: Michael Guralnik <michaelgur@xxxxxxxxxxxx> > Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx> > --- > drivers/infiniband/core/rdma_core.c | 23 +---------------------- > include/rdma/uverbs_types.h | 1 - > 2 files changed, 1 insertion(+), 23 deletions(-) > > This should go before the 'refactoring fd usage' series as more > testing has shown the reworked code can trivially trigger this > existing bug. Applied to for-next Though it seems this might not be an existing problem as none of the existing kref users can outlive disassociation. Nevertheless it is very surprising that the kref becomes a segfault after disassociation. Jason
