From: Jason Gunthorpe <jgg@nvidia.com>
To: Wentao Liang <vulab@iscas.ac.cn>
Cc: leon@kernel.org, linux-rdma@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] RDMA/iwpm: fix kref bypass in iwpm_register_pid() error path
Date: Mon, 8 Jun 2026 15:34:38 -0300 [thread overview]
Message-ID: <20260608183438.GA95325@nvidia.com> (raw)
In-Reply-To: <20260608103001.142648-1-vulab@iscas.ac.cn>
On Mon, Jun 08, 2026 at 10:30:01AM +0000, Wentao Liang wrote:
> iwpm_get_nlmsg_request() returns a request with kref_init() +
> kref_get() (refcount=2, one for the caller and one for the
> iwpm_nlmsg_req_list). On the error path, iwpm_register_pid()
> calls iwpm_free_nlmsg_request() directly instead of using
> kref_put(), bypassing the kref mechanism and freeing the object
> while the refcount is still non-zero.
>
> Replace the direct iwpm_free_nlmsg_request() call with
> kref_put(&nlmsg_request->kref, iwpm_free_nlmsg_request).
>
> Cc: stable@vger.kernel.org
> Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service")
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
> drivers/infiniband/core/iwpm_msg.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/iwpm_msg.c b/drivers/infiniband/core/iwpm_msg.c
> index 4625abd29ac0..672b0c33a6de 100644
> --- a/drivers/infiniband/core/iwpm_msg.c
> +++ b/drivers/infiniband/core/iwpm_msg.c
> @@ -122,7 +122,7 @@ int iwpm_register_pid(struct iwpm_dev_data *pm_msg, u8 nl_client)
> pr_info("%s: %s (client = %u)\n", __func__, err_str, nl_client);
> dev_kfree_skb(skb);
> if (nlmsg_request)
> - iwpm_free_nlmsg_request(&nlmsg_request->kref);
> + kref_put(&nlmsg_request->kref, iwpm_free_nlmsg_request);
> return ret;
Sashiko doesn't like any of these changes.
https://patchwork.kernel.org/project/linux-rdma/patch/20260608103001.142648-1-vulab@iscas.ac.cn/
Does this change introduce a stack memory corruption risk?
Because iwpm_get_nlmsg_request() initializes the request with a refcount of
2, this kref_put() only decrements it to 1. The object is not freed or
removed from the global iwpm_nlmsg_req_list.
Jason
prev parent reply other threads:[~2026-06-08 18:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 10:30 [PATCH] RDMA/iwpm: fix kref bypass in iwpm_register_pid() error path Wentao Liang
2026-06-08 18:34 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608183438.GA95325@nvidia.com \
--to=jgg@nvidia.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.