Re: [PATCH rdma-next v1] RDMA/ucma: Fix use-after-free bug in ucma_create_uevent

[Leon Romanovsky <leon@xxxxxxxxxx>]

On Wed, Feb 03, 2021 at 04:01:16PM -0400, Jason Gunthorpe wrote:
> On Mon, Jan 25, 2021 at 02:15:56PM +0200, Leon Romanovsky wrote:
> > diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
> > index e17ba841e204..7ce4d9dea826 100644
> > +++ b/drivers/infiniband/core/cma.c
> > @@ -352,7 +352,13 @@ struct ib_device *cma_get_ib_dev(struct cma_device *cma_dev)
> >
> >  struct cma_multicast {
> >  	struct rdma_id_private *id_priv;
> > -	struct ib_sa_multicast *sa_mc;
> > +	union {
> > +		struct ib_sa_multicast *sa_mc;
> > +		struct {
> > +			struct work_struct work;
> > +			struct rdma_cm_event event;
> > +		} iboe_join;
> > +	};
> >  	struct list_head	list;
> >  	void			*context;
> >  	struct sockaddr_storage	addr;
> > @@ -1839,6 +1845,12 @@ static void destroy_mc(struct rdma_id_private *id_priv,
> >  			cma_igmp_send(ndev, &mgid, false);
> >  			dev_put(ndev);
> >  		}
> > +
> > +		if (cancel_work_sync(&mc->iboe_join.work))
> > +			/* Compensate for cma_iboe_join_work_handler that
> > +			 * didn't run.
> > +			 */
> > +			cma_id_put(mc->id_priv);
>
> Just get rid of the cma_id_get in cma_iboe_join_multicast() and don't
> have this if

Why do you think that it is safe to queue work without refcount?

Thanks