Description
In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.
Product status
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before 91a44b406bc1f9e1c5da0cb7d0d5991b43b79147
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before 106dc689206610cfa2098f593fdd1e020c997835
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before ec55a86f7fba7d9111df94b9c11a4755ed492995
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before 8fdbb6262a4a3ed44a0830a7793903b54bb27bdc
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before d95cea9298be1ba8876e3f156be96d3a492085ca
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before 033370ffb3c9c0264d19f8ba9ef769523266589a
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before b3cb8cae530b2727d8245684148bb49425f6765c
0d4597c8c5abdeeaf50774066c16683f30184dc8 (git) before 8141a2dc70080eda1aedc0389ed2db2b292af5bd
5.6
Any version before 5.6
5.10.258 (semver)
5.15.209 (semver)
6.1.175 (semver)
6.6.140 (semver)
6.12.86 (semver)
6.18.27 (semver)
7.0.4 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/91a44b406bc1f9e1c5da0cb7d0d5991b43b79147
git.kernel.org/...c/106dc689206610cfa2098f593fdd1e020c997835
git.kernel.org/...c/ec55a86f7fba7d9111df94b9c11a4755ed492995
git.kernel.org/...c/8fdbb6262a4a3ed44a0830a7793903b54bb27bdc
git.kernel.org/...c/d95cea9298be1ba8876e3f156be96d3a492085ca
git.kernel.org/...c/033370ffb3c9c0264d19f8ba9ef769523266589a
git.kernel.org/...c/b3cb8cae530b2727d8245684148bb49425f6765c
git.kernel.org/...c/8141a2dc70080eda1aedc0389ed2db2b292af5bd