Created attachment 234656 [details] a possible patch The error in ucma_create_id() left ctx in the list of contexts belong to ucma file descriptor. The attempt to close this file descriptor causes to use-after-free accesses while iterating over such list.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=66a0bc2105e43e54abfaa9f48b76c28371fa2d62 commit 66a0bc2105e43e54abfaa9f48b76c28371fa2d62 Author: Hans Petter Selasky <hselasky@FreeBSD.org> AuthorDate: 2022-06-13 14:55:14 +0000 Commit: Hans Petter Selasky <hselasky@FreeBSD.org> CommitDate: 2022-06-13 15:00:16 +0000 ibcore: Fix use-after-free access in ucma_close() The error in ucma_create_id() left ctx in the list of contexts belong to ucma file descriptor. The attempt to close this file descriptor causes to use-after-free accesses while iterating over such list. Linux commit: ed65a4dc22083e73bac599ded6a262318cad7baf PR: 264650 MFC after: 1 week Sponsored by: NVIDIA Networking sys/ofed/drivers/infiniband/core/ib_ucma.c | 3 +++ 1 file changed, 3 insertions(+)
Thank you for the submission! --HPS
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e212dffaae152cbb13f556c663a498ccf61c5889 commit e212dffaae152cbb13f556c663a498ccf61c5889 Author: Hans Petter Selasky <hselasky@FreeBSD.org> AuthorDate: 2022-06-13 14:55:14 +0000 Commit: Hans Petter Selasky <hselasky@FreeBSD.org> CommitDate: 2022-06-20 11:08:39 +0000 ibcore: Fix use-after-free access in ucma_close() The error in ucma_create_id() left ctx in the list of contexts belong to ucma file descriptor. The attempt to close this file descriptor causes to use-after-free accesses while iterating over such list. Linux commit: ed65a4dc22083e73bac599ded6a262318cad7baf PR: 264650 Sponsored by: NVIDIA Networking (cherry picked from commit 66a0bc2105e43e54abfaa9f48b76c28371fa2d62) sys/ofed/drivers/infiniband/core/ib_ucma.c | 3 +++ 1 file changed, 3 insertions(+)