RDMA/core: Fix race between destroy and release FD object (f0abc761) · Commits · Mirrors / github.com / sifive_riscv-linux

Commit f0abc761 authored Apr 23, 2020 by

Leon Romanovsky Committed by Jason Gunthorpe Apr 24, 2020

RDMA/core: Fix race between destroy and release FD object

The call to ->lookup_put() was too early and it caused an unlock of the
read/write protection of the uobject after the FD was put. This allows a
race:

     CPU1                                 CPU2
 rdma_lookup_put_uobject()
   lookup_put_fd_uobject()
     fput()
				   fput()
				     uverbs_uobject_fd_release()
				       WARN_ON(uverbs_try_lock_object(uobj,
					       UVERBS_LOOKUP_WRITE));
   atomic_dec(usecnt)

Fix the code by changing the order, first unlock and call to
->lookup_put() after that.

Fixes: 38321256 ("IB/core: Add support for idr types")
Link: https://lore.kernel.org/r/20200423060122.6182-1-leon@kernel.org


Suggested-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

parent 47c370c1

Hide whitespace changes

Inline Side-by-side

Please register or to comment