[PATCH for-rc] RDMA/irdma: Fix a user-after-free in add_pble

kernel-janitors.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH for-rc] RDMA/irdma: Fix a user-after-free in add_pble_prm
@ 2021-12-07 15:21 Shiraz Saleem
  2021-12-07 17:50 ` Jason Gunthorpe
  0 siblings, 1 reply; 2+ messages in thread
From: Shiraz Saleem @ 2021-12-07 15:21 UTC (permalink / raw)
  To: jgg
  Cc: linux-rdma, linux-kernel, kernel-janitors, dan.carpenter,
	christophe.jaillet, Shiraz Saleem

When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE
info list.

Add the chunk entry to the PBLE info list only after successful setting of
the SD in irdma_hmc_sd_one.

Fixes: e8c4dbc2fcac ("RDMA/irdma: Add PBLE resource manager")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
---
 drivers/infiniband/hw/irdma/pble.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/irdma/pble.c b/drivers/infiniband/hw/irdma/pble.c
index aeeb1c3..da032b9 100644
--- a/drivers/infiniband/hw/irdma/pble.c
+++ b/drivers/infiniband/hw/irdma/pble.c
@@ -283,7 +283,6 @@ static enum irdma_sd_entry_type irdma_get_type(struct irdma_sc_dev *dev,
 		  "PBLE: next_fpm_addr = %llx chunk_size[%llu] = 0x%llx\n",
 		  pble_rsrc->next_fpm_addr, chunk->size, chunk->size);
 	pble_rsrc->unallocated_pble -= (u32)(chunk->size >> 3);
-	list_add(&chunk->list, &pble_rsrc->pinfo.clist);
 	sd_reg_val = (sd_entry_type == IRDMA_SD_TYPE_PAGED) ?
 			     sd_entry->u.pd_table.pd_page_addr.pa :
 			     sd_entry->u.bp.addr.pa;
@@ -295,6 +294,7 @@ static enum irdma_sd_entry_type irdma_get_type(struct irdma_sc_dev *dev,
 			goto error;
 	}
 
+	list_add(&chunk->list, &pble_rsrc->pinfo.clist);
 	sd_entry->valid = true;
 	return 0;
 
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH for-rc] RDMA/irdma: Fix a user-after-free in add_pble_prm
  2021-12-07 15:21 [PATCH for-rc] RDMA/irdma: Fix a user-after-free in add_pble_prm Shiraz Saleem
@ 2021-12-07 17:50 ` Jason Gunthorpe
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2021-12-07 17:50 UTC (permalink / raw)
  To: Shiraz Saleem
  Cc: linux-rdma, linux-kernel, kernel-janitors, dan.carpenter,
	christophe.jaillet

On Tue, Dec 07, 2021 at 09:21:36AM -0600, Shiraz Saleem wrote:
> When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE
> info list.
> 
> Add the chunk entry to the PBLE info list only after successful setting of
> the SD in irdma_hmc_sd_one.
> 
> Fixes: e8c4dbc2fcac ("RDMA/irdma: Add PBLE resource manager")
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
> ---
>  drivers/infiniband/hw/irdma/pble.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied to for-rc, thanks

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-12-07 17:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-07 15:21 [PATCH for-rc] RDMA/irdma: Fix a user-after-free in add_pble_prm Shiraz Saleem
2021-12-07 17:50 ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).