From: Jason Gunthorpe <jgg@nvidia.com>
To: lirongqing <lirongqing@baidu.com>
Cc: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Leon Romanovsky <leon@kernel.org>,
Kyle Liddell <kyle.liddell@intel.com>,
Caz Yokoyama <caz.yokoyama@intel.com>,
Sadanand Warrier <sadanand.warrier@intel.com>,
Arthur Kepner <arthur.kepner@intel.com>,
Ira Weiny <ira.weiny@intel.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] IB/hfi1: Fix potential use-after-free in PIO and SDMA map teardown
Date: Tue, 28 Apr 2026 11:24:11 -0300 [thread overview]
Message-ID: <20260428142411.GA2606586@nvidia.com> (raw)
In-Reply-To: <20260206050836.5890-1-lirongqing@baidu.com>
On Fri, Feb 06, 2026 at 12:08:36AM -0500, lirongqing wrote:
> From: Li RongQing <lirongqing@baidu.com>
>
> The current teardown logic for dd->pio_map and dd->sdma_map frees the
> structures while they might still be accessed by RCU readers. Although
> the pointer is nulled under a spinlock, the memory is reclaimed before
> waiting for the grace period to end.
>
> This patch fixes the sequence by:
> 1. Extracting the pointer under the lock.
> 2. Clearing the RCU-protected pointer.
> 3. Waiting for readers to finish with synchronize_rcu().
> 4. Finally freeing the memory.
>
> Fixes: 7724105686e7 ("IB/hfi1: add driver files")
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> ---
> drivers/infiniband/hw/hfi1/pio.c | 5 ++++-
> drivers/infiniband/hw/hfi1/sdma.c | 4 +++-
> 2 files changed, 7 insertions(+), 2 deletions(-)
This does seem to be a legitimate mis-use of RCU, applied to rc
Jason
prev parent reply other threads:[~2026-04-28 14:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-06 5:08 [PATCH] IB/hfi1: Fix potential use-after-free in PIO and SDMA map teardown lirongqing
2026-04-28 14:24 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428142411.GA2606586@nvidia.com \
--to=jgg@nvidia.com \
--cc=arthur.kepner@intel.com \
--cc=caz.yokoyama@intel.com \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=ira.weiny@intel.com \
--cc=kyle.liddell@intel.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=lirongqing@baidu.com \
--cc=sadanand.warrier@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.