[v2,0/3] Fix a use-after-free in the SRP target driver

Message ID	20220727193415.1583860-1-bvanassche@acm.org (mailing list archive)
Headers	show Return-Path: <linux-rdma-owner@kernel.org> From: Bart Van Assche <bvanassche@acm.org> To: Jason Gunthorpe <jgg@ziepe.ca> Cc: Leon Romanovsky <leonro@mellanox.com>, linux-rdma@vger.kernel.org, Li Zhijian <lizhijian@fujitsu.com>, Hillf Danton <hdanton@sina.com>, Mike Christie <michael.christie@oracle.com>, Bart Van Assche <bvanassche@acm.org> Subject: [PATCH v2 0/3] Fix a use-after-free in the SRP target driver Date: Wed, 27 Jul 2022 12:34:12 -0700 Message-Id: <20220727193415.1583860-1-bvanassche@acm.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Fix a use-after-free in the SRP target driver \| expand [v2,0/3] Fix a use-after-free in the SRP target driver [v2,1/3] RDMA/srpt: Duplicate port name members [v2,2/3] RDMA/srpt: Introduce a reference count in struct srpt_device [v2,3/3] RDMA/srpt: Fix a use-after-free

Message ID

20220727193415.1583860-1-bvanassche@acm.org (mailing list archive)

Headers

From: Bart Van Assche <bvanassche@acm.org>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leonro@mellanox.com>, linux-rdma@vger.kernel.org,
        Li Zhijian <lizhijian@fujitsu.com>,
        Hillf Danton <hdanton@sina.com>,
        Mike Christie <michael.christie@oracle.com>,
        Bart Van Assche <bvanassche@acm.org>
Subject: [PATCH v2 0/3] Fix a use-after-free in the SRP target driver
Date: Wed, 27 Jul 2022 12:34:12 -0700
Message-Id: <20220727193415.1583860-1-bvanassche@acm.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Fix a use-after-free in the SRP target driver | expand

Message

Bart Van Assche July 27, 2022, 7:34 p.m. UTC

Hi Jason,

A known issue in the SRP target driver is that a use-after-free is triggered
if an RDMA port is removed while a LIO target port is still associated with
that RDMA port. This patch series fixes that use-after-free.

Thanks,

Bart.

See also:
* Commit 9b64f7d0bb0a ("RDMA/srpt: Postpone HCA removal until after configfs directory removal").
* https://lore.kernel.org/all/17649b9c-7e42-1625-8bc9-8ad333ab771c@fujitsu.com/

Changes compared to v1:
- Left out three BUG_ON() statements.
- Added three WARN_ON_ONCE() statements.
- Removed an unnecessary if (!sport_id) statement block.

Bart Van Assche (3):
  RDMA/srpt: Duplicate port name members
  RDMA/srpt: Introduce a reference count in struct srpt_device
  RDMA/srpt: Fix a use-after-free

 drivers/infiniband/ulp/srpt/ib_srpt.c | 148 ++++++++++++++++++--------
 drivers/infiniband/ulp/srpt/ib_srpt.h |  18 ++--
 2 files changed, 118 insertions(+), 48 deletions(-)

Comments

Jason Gunthorpe July 29, 2022, 7:46 p.m. UTC | #1

On Wed, Jul 27, 2022 at 12:34:12PM -0700, Bart Van Assche wrote:
> Hi Jason,
> 
> A known issue in the SRP target driver is that a use-after-free is triggered
> if an RDMA port is removed while a LIO target port is still associated with
> that RDMA port. This patch series fixes that use-after-free.

Applied to for-next, thanks

Jason