diff options
| author | Jason Gunthorpe <jgg@nvidia.com> | 2025-11-28 20:53:21 -0400 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@nvidia.com> | 2025-12-16 21:32:13 -0400 |
| commit | 57f3cb6c84159d12ba343574df2115fb18dd83ca (patch) | |
| tree | 40e906f0d6c9bb4a083820618def331df0bc289b /tools/workqueue/git@git.tavy.me:linux.git | |
| parent | a7b8e876e0ef0232b8076972c57ce9a7286b47ca (diff) | |
RDMA/cm: Fix leaking the multicast GID table reference
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
Link: https://patch.msgid.link/r/0-v1-4285d070a6b2+20a-rdma_mc_gid_leak_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: fe454dc31e84 ("RDMA/ucma: Fix use-after-free bug in ucma_create_uevent")
Reported-by: syzbot+b0da83a6c0e2e2bddbd4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68232e7b.050a0220.f2294.09f6.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Diffstat (limited to 'tools/workqueue/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions