Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
Product status
715fdb3b30541cc8180b7cdc6aa9f8c307afdf25 (git) before 62298a48f8b8788ad8b8464e6ffdf1ddebd2217e
5ac388db27c443dadfbb0b8b23fa7ccf429d901a (git) before 66964118f1f50ed85001c8fc9f7ab5bbdd021ee0
5ac388db27c443dadfbb0b8b23fa7ccf429d901a (git) before 0f22c32141acdcda266b26cab2b830baf870f3e0
5ac388db27c443dadfbb0b8b23fa7ccf429d901a (git) before 0c5d70bcb9d2275a1c8515a924016fcfeb4ab441
5ac388db27c443dadfbb0b8b23fa7ccf429d901a (git) before 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2
6.7
Any version before 6.7
6.6.136 (semver)
6.12.83 (semver)
6.18.24 (semver)
6.19.14 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e
git.kernel.org/...c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0
git.kernel.org/...c/0f22c32141acdcda266b26cab2b830baf870f3e0
git.kernel.org/...c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441
git.kernel.org/...c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2