Re: [PATCH] IB/hfi1: Fix potential use-after-free in PIO and SDMA map teardown

Next message: Breno Leitao: "Re: [PATCH] workqueue: fix devm_alloc_workqueue() va_list misuse"
Previous message: Tycho Andersen: "Re: [PATCH v2 3/4] KVM: SEV: Add the kvm-amd.rapl_disable module parameter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Tue Apr 28 2026 - 11:00:58 EST

On Fri, Feb 06, 2026 at 12:08:36AM -0500, lirongqing wrote:
> From: Li RongQing <lirongqing@xxxxxxxxx>
>
> The current teardown logic for dd->pio_map and dd->sdma_map frees the
> structures while they might still be accessed by RCU readers. Although
> the pointer is nulled under a spinlock, the memory is reclaimed before
> waiting for the grace period to end.
>
> This patch fixes the sequence by:
> 1. Extracting the pointer under the lock.
> 2. Clearing the RCU-protected pointer.
> 3. Waiting for readers to finish with synchronize_rcu().
> 4. Finally freeing the memory.
>
> Fixes: 7724105686e7 ("IB/hfi1: add driver files")
> Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx>
> ---
> drivers/infiniband/hw/hfi1/pio.c | 5 ++++-
> drivers/infiniband/hw/hfi1/sdma.c | 4 +++-
> 2 files changed, 7 insertions(+), 2 deletions(-)

This does seem to be a legitimate mis-use of RCU, applied to rc

Jason