git: 9fc6a635220f - main - ibcore: Fix a race with disassociate and exit_mmap()

From: Hans Petter Selasky <hselasky_at_FreeBSD.org>
Date: Tue, 21 Jun 2022 09:34:08 UTC
The branch main has been updated by hselasky:

URL: https://cgit.FreeBSD.org/src/commit/?id=9fc6a635220fdd8a0a29de0a985a4a0c3a6890fd

commit 9fc6a635220fdd8a0a29de0a985a4a0c3a6890fd
Author:     Hans Petter Selasky <hselasky@FreeBSD.org>
AuthorDate: 2022-06-21 09:23:55 +0000
Commit:     Hans Petter Selasky <hselasky@FreeBSD.org>
CommitDate: 2022-06-21 09:33:27 +0000

    ibcore: Fix a race with disassociate and exit_mmap()
    
    If uverbs_user_mmap_disassociate() is called while the mmap is
    concurrently doing exit_mmap then the ordering of the
    rdma_user_mmap_entry_put() is not reliable.
    
    The put must be done before uvers_user_mmap_disassociate() returns,
    otherwise there can be a use after free on the ucontext, and a left over
    entry in the xarray. If the put is not done here then it is done during
    rdma_umap_close() later.
    
    Add the missing put to the error exit path.
    
    Linux commit:
    39c011a538272589b9eb02ff1228af528522a22c
    
    PR:             264473
    MFC after:      3 days
    Sponsored by:   NVIDIA Networking
---
 sys/ofed/drivers/infiniband/core/ib_uverbs_main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c b/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
index 1661458c689b..432d46760ecb 100644
--- a/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
+++ b/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
@@ -778,6 +778,10 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
 			ret = mmget_not_zero(mm);
 			if (!ret) {
 				list_del_init(&priv->list);
+				if (priv->entry) {
+					rdma_user_mmap_entry_put(priv->entry);
+					priv->entry = NULL;
+				}
 				mm = NULL;
 				continue;
 			}