* [PATCH] IB: fix use-after-free in user verbs cleanup
@ 2005-08-26 1:00 Roland Dreier
0 siblings, 0 replies; only message in thread
From: Roland Dreier @ 2005-08-26 1:00 UTC (permalink / raw)
To: akpm; +Cc: openib-general, linux-kernel
Hi Andrew,
I'd like to get this into 2.6.13 if possible. If it's too late, it's
not the end of the world -- we can wait for 2.6.13.1. But it's a
tiny, obvious patch that fixes a crash that at least one person
actually hit running a normal application:
http://openib.org/pipermail/openib-general/2005-August/010248.html
Thanks,
Roland
Fix a use-after-free bug in userspace verbs cleanup: we can't touch
mr->device after we free mr by calling ib_dereg_mr().
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -130,13 +130,14 @@ static int ib_dealloc_ucontext(struct ib
list_for_each_entry_safe(uobj, tmp, &context->mr_list, list) {
struct ib_mr *mr = idr_find(&ib_uverbs_mr_idr, uobj->id);
+ struct ib_device *mrdev = mr->device;
struct ib_umem_object *memobj;
idr_remove(&ib_uverbs_mr_idr, uobj->id);
ib_dereg_mr(mr);
memobj = container_of(uobj, struct ib_umem_object, uobject);
- ib_umem_release_on_close(mr->device, &memobj->umem);
+ ib_umem_release_on_close(mrdev, &memobj->umem);
list_del(&uobj->list);
kfree(memobj);
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-08-26 1:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-26 1:00 [PATCH] IB: fix use-after-free in user verbs cleanup Roland Dreier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.