On Mon, Apr 13, 2020 at 04:21:36PM +0300, Leon Romanovsky wrote:
> From: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
>
> If uverbs_user_mmap_disassociate() is called while the mmap is
> concurrently doing exit_mmap then the ordering of the
> rdma_user_mmap_entry_put() is not reliable.
>
> The put must be done before uvers_user_mmap_disassociate() returns,
> otherwise there can be a use after free on the ucontext, and a left over
> entry in the xarray. If the put is not done here then it is done during
> rdma_umap_close() later.
> Add the missing put to the error exit path.
>
> Fixes: c043ff2cfb7f ("RDMA: Connect between the mmap entry and the umap_priv structure")
> Signed-off-by: Yishai Hadas <yishaih@xxxxxxxxxxxx>
> Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> ---
> drivers/infiniband/core/uverbs_main.c | 4 ++++
> 1 file changed, 4 insertions(+)
Applied to for-next, thanks
Jason
