[PATCH] IB: fix use-after-free in user verbs cleanup

Fix a use-after-free bug in userspace verbs cleanup: we can't touch
mr->device after we free mr by calling ib_dereg_mr().

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index eb99e693dec23b6d7cc2e5dcc38e79fa4f741fac..5f6e9ea29cd772f1f819ea21d2a2ad47840b5c81 100644 (file)
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -130,13 +130,14 @@ static int ib_dealloc_ucontext(struct ib_ucontext *context)
 
        list_for_each_entry_safe(uobj, tmp, &context->mr_list, list) {
                struct ib_mr *mr = idr_find(&ib_uverbs_mr_idr, uobj->id);
+               struct ib_device *mrdev = mr->device;
                struct ib_umem_object *memobj;
 
                idr_remove(&ib_uverbs_mr_idr, uobj->id);
                ib_dereg_mr(mr);
 
                memobj = container_of(uobj, struct ib_umem_object, uobject);
-               ib_umem_release_on_close(mr->device, &memobj->umem);
+               ib_umem_release_on_close(mrdev, &memobj->umem);
 
                list_del(&uobj->list);
                kfree(memobj);