Patch "RDMA/irdma: Fix a user-after-free in add_pble_prm" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 14 Dec 2021 21:46:01 -0500

This is a note to let you know that I've just added the patch titled

    RDMA/irdma: Fix a user-after-free in add_pble_prm

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rdma-irdma-fix-a-user-after-free-in-add_pble_prm.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9ddb0ae32f37d1d237eb79cdd1b6cb1ce367604a
Author: Shiraz Saleem <shiraz.saleem@xxxxxxxxx>
Date:   Tue Dec 7 09:21:36 2021 -0600

    RDMA/irdma: Fix a user-after-free in add_pble_prm
    
    [ Upstream commit 1e11a39a82e95ce86f849f40dda0d9c0498cebd9 ]
    
    When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE
    info list.
    
    Add the chunk entry to the PBLE info list only after successful setting of
    the SD in irdma_hmc_sd_one.
    
    Fixes: e8c4dbc2fcac ("RDMA/irdma: Add PBLE resource manager")
    Link: https://lore.kernel.org/r/20211207152135.2192-1-shiraz.saleem@xxxxxxxxx
    Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/hw/irdma/pble.c b/drivers/infiniband/hw/irdma/pble.c
index aeeb1c310965d..da032b952755e 100644
--- a/drivers/infiniband/hw/irdma/pble.c
+++ b/drivers/infiniband/hw/irdma/pble.c
@@ -283,7 +283,6 @@ add_pble_prm(struct irdma_hmc_pble_rsrc *pble_rsrc)
 		  "PBLE: next_fpm_addr = %llx chunk_size[%llu] = 0x%llx\n",
 		  pble_rsrc->next_fpm_addr, chunk->size, chunk->size);
 	pble_rsrc->unallocated_pble -= (u32)(chunk->size >> 3);
-	list_add(&chunk->list, &pble_rsrc->pinfo.clist);
 	sd_reg_val = (sd_entry_type == IRDMA_SD_TYPE_PAGED) ?
 			     sd_entry->u.pd_table.pd_page_addr.pa :
 			     sd_entry->u.bp.addr.pa;
@@ -295,6 +294,7 @@ add_pble_prm(struct irdma_hmc_pble_rsrc *pble_rsrc)
 			goto error;
 	}
 
+	list_add(&chunk->list, &pble_rsrc->pinfo.clist);
 	sd_entry->valid = true;
 	return 0;
 






