git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Li RongQing <lirongqing@baidu.com>
	Fri, 6 Feb 2026 05:08:36 +0000 (00:08 -0500)
committer	Jason Gunthorpe <jgg@nvidia.com>
	Tue, 28 Apr 2026 14:15:49 +0000 (11:15 -0300)
commit	76b48a70b16b4036814964b039cde413e0164416
tree	16a29e62d91df65f826edbb9c714aa4abd808ec9	tree \| snapshot
parent	254f49634ee16a731174d2ae34bc50bd5f45e731	commit \| diff

IB/hfi1: Fix potential use-after-free in PIO and SDMA map teardown

The current teardown logic for dd->pio_map and dd->sdma_map frees the
structures while they might still be accessed by RCU readers. Although the
pointer is nulled under a spinlock, the memory is reclaimed before waiting
for the grace period to end.

This patch fixes the sequence by:
1. Extracting the pointer under the lock.
2. Clearing the RCU-protected pointer.
3. Waiting for readers to finish with synchronize_rcu().
4. Finally freeing the memory.

Fixes: 7724105686e7 ("IB/hfi1: add driver files")
Link: https://patch.msgid.link/r/20260206050836.5890-1-lirongqing@baidu.com
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

drivers/infiniband/hw/hfi1/pio.c		diff \| blob \| blame \| history
drivers/infiniband/hw/hfi1/sdma.c		diff \| blob \| blame \| history