From: Leon Romanovsky <leon@kernel.org>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Jason Gunthorpe <jgg@nvidia.com>,
Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>,
Zhu Yanjun <zyjzyj2000@gmail.com>,
linux-rdma@vger.kernel.org, Zhu Yanjun <yanjun.zhu@linux.dev>,
Jason Gunthorpe <jgg@ziepe.ca>,
Luis Chamberlain <mcgrof@kernel.org>,
Joel Granados <j.granados@samsung.com>
Subject: Re: [PATCH 5/5] RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
Date: Sun, 9 Jun 2024 11:24:57 +0300 [thread overview]
Message-ID: <20240609082457.GA8976@unreal> (raw)
In-Reply-To: <20240605145117.397751-6-bvanassche@acm.org>
On Wed, Jun 05, 2024 at 08:51:01AM -0600, Bart Van Assche wrote:
> iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with
> an existing struct iw_cm_id (cm_id) as follows:
>
> conn_id->cm_id.iw = cm_id;
> cm_id->context = conn_id;
> cm_id->cm_handler = cma_iw_handler;
>
> rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make
> sure that cm_work_handler() does not trigger a use-after-free by only
> freeing of the struct rdma_id_private after all pending work has finished.
>
> Cc: stable
This is not right way to mark a patch for stable. I added the following
to the commit message and applied the patch:
Cc: stable@vger.kernel.org
Fixes: 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref")
There is no clear Fixes tag which I can use, so I used the latest significant
commit that touch that area.
Thanks
> Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
> Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
> Signed-off-by: Bart Van Assche <bvanassche@acm.org>
> ---
> drivers/infiniband/core/iwcm.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
next prev parent reply other threads:[~2024-06-09 8:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-05 14:50 [PATCH 0/5] iWARP Connection Manager patches Bart Van Assche
2024-06-05 14:50 ` [PATCH 1/5] RDMA/iwcm: Use list_first_entry() where appropriate Bart Van Assche
2024-06-06 20:29 ` Zhu Yanjun
2024-06-05 14:50 ` [PATCH 2/5] RDMA/iwcm: Change the return type of iwcm_deref_id() Bart Van Assche
2024-06-05 20:17 ` Zhu Yanjun
2024-06-05 14:50 ` [PATCH 3/5] RDMA/iwcm: Simplify cm_event_handler() Bart Van Assche
2024-06-05 14:51 ` [PATCH 4/5] RDMA/iwcm: Simplify cm_work_handler() Bart Van Assche
2024-06-05 14:51 ` [PATCH 5/5] RDMA/iwcm: Fix a use-after-free related to destroying CM IDs Bart Van Assche
2024-06-09 8:24 ` Leon Romanovsky [this message]
2024-06-09 8:25 ` [PATCH 0/5] iWARP Connection Manager patches Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240609082457.GA8976@unreal \
--to=leon@kernel.org \
--cc=bvanassche@acm.org \
--cc=j.granados@samsung.com \
--cc=jgg@nvidia.com \
--cc=jgg@ziepe.ca \
--cc=linux-rdma@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=shinichiro.kawasaki@wdc.com \
--cc=yanjun.zhu@linux.dev \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.