RDMA/ucma: Fix use-after-free access in ucma_close

The error in ucma_create_id() left ctx in the list of contexts belong
to ucma file descriptor. The attempt to close this file descriptor causes
to use-after-free accesses while iterating over such list.

Fixes: 7521663 ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Reviewed-by: Sean Hefty <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>

Author: Leon Romanovsky

drivers/infiniband/core/ucma.c

@@ -497,6 +497,9 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
 	mutex_lock(&mut);
 	idr_remove(&ctx_idr, ctx->id);
 	mutex_unlock(&mut);
+	mutex_lock(&file->mut);
+	list_del(&ctx->list);
+	mutex_unlock(&file->mut);
 	kfree(ctx);
 	return ret;
 }