From: Leon Romanovsky <leon@kernel.org>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Jason Gunthorpe <jgg@nvidia.com>,
Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>,
Zhu Yanjun <zyjzyj2000@gmail.com>,
linux-rdma@vger.kernel.org, Zhu Yanjun <yanjun.zhu@linux.dev>,
Jason Gunthorpe <jgg@ziepe.ca>,
Luis Chamberlain <mcgrof@kernel.org>,
Joel Granados <j.granados@samsung.com>
Subject: Re: [PATCH 5/5] RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
Date: Sun, 9 Jun 2024 11:24:57 +0300 [thread overview]
Message-ID: <20240609082457.GA8976@unreal> (raw)
In-Reply-To: <20240605145117.397751-6-bvanassche@acm.org>
On Wed, Jun 05, 2024 at 08:51:01AM -0600, Bart Van Assche wrote:
> iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with
> an existing struct iw_cm_id (cm_id) as follows:
>
> conn_id->cm_id.iw = cm_id;
> cm_id->context = conn_id;
> cm_id->cm_handler = cma_iw_handler;
>
> rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make
> sure that cm_work_handler() does not trigger a use-after-free by only
> freeing of the struct rdma_id_private after all pending work has finished.
>
> Cc: stable
This is not right way to mark a patch for stable. I added the following
to the commit message and applied the patch:
Cc: stable@vger.kernel.org
Fixes: 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref")
There is no clear Fixes tag which I can use, so I used the latest significant
commit that touch that area.
Thanks
> Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
> Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
> Signed-off-by: Bart Van Assche <bvanassche@acm.org>
> ---
> drivers/infiniband/core/iwcm.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
next prev parent reply other threads:[~2024-06-09 8:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-05 14:50 [PATCH 0/5] iWARP Connection Manager patches Bart Van Assche
2024-06-05 14:50 ` [PATCH 1/5] RDMA/iwcm: Use list_first_entry() where appropriate Bart Van Assche
2024-06-06 20:29 ` Zhu Yanjun
2024-06-05 14:50 ` [PATCH 2/5] RDMA/iwcm: Change the return type of iwcm_deref_id() Bart Van Assche
2024-06-05 20:17 ` Zhu Yanjun
2024-06-05 14:50 ` [PATCH 3/5] RDMA/iwcm: Simplify cm_event_handler() Bart Van Assche
2024-06-05 14:51 ` [PATCH 4/5] RDMA/iwcm: Simplify cm_work_handler() Bart Van Assche
2024-06-05 14:51 ` [PATCH 5/5] RDMA/iwcm: Fix a use-after-free related to destroying CM IDs Bart Van Assche
2024-06-09 8:24 ` Leon Romanovsky [this message]
2024-06-09 8:25 ` [PATCH 0/5] iWARP Connection Manager patches Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240609082457.GA8976@unreal \
--to=leon@kernel.org \
--cc=bvanassche@acm.org \
--cc=j.granados@samsung.com \
--cc=jgg@nvidia.com \
--cc=jgg@ziepe.ca \
--cc=linux-rdma@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=shinichiro.kawasaki@wdc.com \
--cc=yanjun.zhu@linux.dev \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox