| From 9ddb0ae32f37d1d237eb79cdd1b6cb1ce367604a Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 7 Dec 2021 09:21:36 -0600 |
| Subject: RDMA/irdma: Fix a user-after-free in add_pble_prm |
| |
| From: Shiraz Saleem <shiraz.saleem@intel.com> |
| |
| [ Upstream commit 1e11a39a82e95ce86f849f40dda0d9c0498cebd9 ] |
| |
| When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE |
| info list. |
| |
| Add the chunk entry to the PBLE info list only after successful setting of |
| the SD in irdma_hmc_sd_one. |
| |
| Fixes: e8c4dbc2fcac ("RDMA/irdma: Add PBLE resource manager") |
| Link: https://lore.kernel.org/r/20211207152135.2192-1-shiraz.saleem@intel.com |
| Reported-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> |
| Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/infiniband/hw/irdma/pble.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/infiniband/hw/irdma/pble.c b/drivers/infiniband/hw/irdma/pble.c |
| index aeeb1c310965d..da032b952755e 100644 |
| --- a/drivers/infiniband/hw/irdma/pble.c |
| +++ b/drivers/infiniband/hw/irdma/pble.c |
| @@ -283,7 +283,6 @@ add_pble_prm(struct irdma_hmc_pble_rsrc *pble_rsrc) |
| "PBLE: next_fpm_addr = %llx chunk_size[%llu] = 0x%llx\n", |
| pble_rsrc->next_fpm_addr, chunk->size, chunk->size); |
| pble_rsrc->unallocated_pble -= (u32)(chunk->size >> 3); |
| - list_add(&chunk->list, &pble_rsrc->pinfo.clist); |
| sd_reg_val = (sd_entry_type == IRDMA_SD_TYPE_PAGED) ? |
| sd_entry->u.pd_table.pd_page_addr.pa : |
| sd_entry->u.bp.addr.pa; |
| @@ -295,6 +294,7 @@ add_pble_prm(struct irdma_hmc_pble_rsrc *pble_rsrc) |
| goto error; |
| } |
| |
| + list_add(&chunk->list, &pble_rsrc->pinfo.clist); |
| sd_entry->valid = true; |
| return 0; |
| |
| -- |
| 2.33.0 |
| |
