RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path

jgunthorpe · gregkh · commit ecc36a82ecfc · 2026-05-17T17:13:42.000+02:00
commit e38e869 upstream. Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free. Cc: stable@vger.kernel.org Fixes: 29c8d9e ("IB: Add vmw_pvrdma driver") Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4 Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
@@ -350,7 +350,7 @@ int pvrdma_alloc_ucontext(struct ib_ucontext *uctx, struct ib_udata *udata)
 	uresp.qp_tab_size = vdev->dsr->caps.max_qp;
 	ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp));
 	if (ret) {
-		pvrdma_uar_free(vdev, &context->uar);
+		/* pvrdma_dealloc_ucontext() also frees the UAR */
 		pvrdma_dealloc_ucontext(&context->ibucontext);
 		return -EFAULT;
 	}

Original file line number	Diff line number	Diff line change
`@@ -350,7 +350,7 @@ int pvrdma_alloc_ucontext(struct ib_ucontext uctx, struct ib_udata udata)`
`350`	`350`	`uresp.qp_tab_size = vdev->dsr->caps.max_qp;`
`351`	`351`	`ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp));`
`352`	`352`	`if (ret) {`
`353`		`- pvrdma_uar_free(vdev, &context->uar);`
	`353`	`+ /* pvrdma_dealloc_ucontext() also frees the UAR */`
`354`	`354`	`pvrdma_dealloc_ucontext(&context->ibucontext);`
`355`	`355`	`return -EFAULT;`
`356`	`356`	`}`