* Re: [PATCH] RDMA/rtrs: Fix use-after-free in path files cleanup [not found] <20260428105515.362051-1-lgs201920130244@gmail.com> @ 2026-05-11 11:35 ` Leon Romanovsky 2026-05-11 12:50 ` Guangshuo Li 0 siblings, 1 reply; 2+ messages in thread From: Leon Romanovsky @ 2026-05-11 11:35 UTC (permalink / raw) To: Guangshuo Li Cc: Md. Haris Iqbal, Jack Wang, Jason Gunthorpe, Vaishali Thakkar, linux-rdma, linux-kernel On Tue, Apr 28, 2026 at 06:55:15PM +0800, Guangshuo Li wrote: > Once kobject_put() is called on srv_path->kobj, the release callback may > be triggered and srv_path may be freed. Therefore, srv_path must not be > dereferenced after kobject_put(&srv_path->kobj). > > However, both rtrs_srv_create_path_files() and > rtrs_srv_destroy_path_files() call > rtrs_srv_destroy_once_sysfs_root_folders() after > kobject_put(&srv_path->kobj). The helper dereferences srv_path to get > srv_path->srv, which can lead to a use-after-free. > > Fix this by calling the sysfs root folder cleanup helper before > kobject_put(&srv_path->kobj), so srv_path is still valid when the helper > accesses it. This sentence is unclear. The srv_path reference appears many lines after rtrs_srv_destroy_path_files(). What exactly is the issue you are addressing here? Thanks ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] RDMA/rtrs: Fix use-after-free in path files cleanup 2026-05-11 11:35 ` [PATCH] RDMA/rtrs: Fix use-after-free in path files cleanup Leon Romanovsky @ 2026-05-11 12:50 ` Guangshuo Li 0 siblings, 0 replies; 2+ messages in thread From: Guangshuo Li @ 2026-05-11 12:50 UTC (permalink / raw) To: Leon Romanovsky Cc: Md. Haris Iqbal, Jack Wang, Jason Gunthorpe, Vaishali Thakkar, linux-rdma, linux-kernel Hi Leon, Thanks for reviewing. On Mon, 11 May 2026 at 19:36, Leon Romanovsky <leon@kernel.org> wrote: > > On Tue, Apr 28, 2026 at 06:55:15PM +0800, Guangshuo Li wrote: > > Once kobject_put() is called on srv_path->kobj, the release callback may > > be triggered and srv_path may be freed. Therefore, srv_path must not be > > dereferenced after kobject_put(&srv_path->kobj). > > > > However, both rtrs_srv_create_path_files() and > > rtrs_srv_destroy_path_files() call > > rtrs_srv_destroy_once_sysfs_root_folders() after > > kobject_put(&srv_path->kobj). The helper dereferences srv_path to get > > srv_path->srv, which can lead to a use-after-free. > > > > Fix this by calling the sysfs root folder cleanup helper before > > kobject_put(&srv_path->kobj), so srv_path is still valid when the helper > > accesses it. > > This sentence is unclear. The srv_path reference appears many lines after > rtrs_srv_destroy_path_files(). What exactly is the issue you are addressing > here? > > Thanks I agree the commit message is not clear enough; I will send a v2 to clarify this. Thanks ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-11 12:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260428105515.362051-1-lgs201920130244@gmail.com>
2026-05-11 11:35 ` [PATCH] RDMA/rtrs: Fix use-after-free in path files cleanup Leon Romanovsky
2026-05-11 12:50 ` Guangshuo Li
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox