RDMA/restrack: Increment CQ restrack object before committing

Once the uobj is committed it is immediately possible another thread could destroy it, which worst case, can result in a use-after-free of the restrack objects. Cc: syzkaller <syzkaller@googlegroups.com> Fixes: 08f294a1524b ("RDMA/core: Add resource tracking for create and destroy CQs") Reported-by: Noa Osherovich <noaos@mellanox.com> Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
author: Leon Romanovsky <leonro@mellanox.com> 2018-02-14 12:35:37 +0200
committer: Jason Gunthorpe <jgg@mellanox.com> 2018-02-15 15:31:26 -0700
commit: 0cba0efcc7238d47a045a8d7a4079f6a22993546 (patch)
tree: e35803a9f95ff2fc2f9188ab0f140819a878c1cc /drivers/infiniband
parent: 3f802b162dbf4a558ff98986449eddc717826209 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 256934d1f64f..4e55f8325049 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1030,14 +1030,14 @@ static struct ib_ucq_object *create_cq(struct ib_uverbs_file *file,
 	resp.response_length = offsetof(typeof(resp), response_length) +
 		sizeof(resp.response_length);
 
+	cq->res.type = RDMA_RESTRACK_CQ;
+	rdma_restrack_add(&cq->res);
+
 	ret = cb(file, obj, &resp, ucore, context);
 	if (ret)
 		goto err_cb;
 
 	uobj_alloc_commit(&obj->uobject);
-	cq->res.type = RDMA_RESTRACK_CQ;
-	rdma_restrack_add(&cq->res);
-
 	return obj;
 
 err_cb:
author	Leon Romanovsky <leonro@mellanox.com>	2018-02-14 12:35:37 +0200
committer	Jason Gunthorpe <jgg@mellanox.com>	2018-02-15 15:31:26 -0700
commit	0cba0efcc7238d47a045a8d7a4079f6a22993546 (patch)
tree	e35803a9f95ff2fc2f9188ab0f140819a878c1cc /drivers/infiniband
parent	3f802b162dbf4a558ff98986449eddc717826209 (diff)