git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jason Gunthorpe <jgg@nvidia.com>
	Sat, 29 Nov 2025 00:53:21 +0000 (20:53 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 8 Jan 2026 09:14:50 +0000 (10:14 +0100)
commit	5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3
tree	259628be8be39c8575c984fa60af0a9f5c387b19	tree \| snapshot
parent	acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec	commit \| diff

RDMA/cm: Fix leaking the multicast GID table reference

commit 57f3cb6c84159d12ba343574df2115fb18dd83ca upstream.

If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:

   GID entry ref leak for dev syz1 index 2 ref=573
   WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
   WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886

Destroy the ah_attr after canceling the work, it is safe to call this
twice.

Link: https://patch.msgid.link/r/0-v1-4285d070a6b2+20a-rdma_mc_gid_leak_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: fe454dc31e84 ("RDMA/ucma: Fix use-after-free bug in ucma_create_uevent")
Reported-by: syzbot+b0da83a6c0e2e2bddbd4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68232e7b.050a0220.f2294.09f6.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>