diff mbox series

RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()

Message ID 20a1a47c-8906-44e8-92e6-9b3e698b1491@web.de (mailing list archive)
State New
Headers show
Series RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() | expand

Commit Message

Markus Elfring March 5, 2025, 2:20 p.m. UTC 
From: Markus Elfring <elfring@users.sourceforge.net>
Date: Wed, 5 Mar 2025 15:07:51 +0100

The implementation of the function “erdma_accept_newconn” contained
still the statement “new_cep->sock = NULL” after
the function call “erdma_cep_put(new_cep)”.
Thus delete an inappropriate reset action.

Reported-by: Cheng Xu <chengyou@linux.alibaba.com>
Link: https://lore.kernel.org/cocci/167179d0-e1ea-39a8-4143-949ad57294c2@linux.alibaba.com/
Link: https://lkml.org/lkml/2023/3/19/191
Fixes: 920d93eac8b9 ("RDMA/erdma: Add connection management (CM) support")
Cc: stable@vger.kernel.org
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
 drivers/infiniband/hw/erdma/erdma_cm.c | 1 -
 1 file changed, 1 deletion(-)

--
2.48.1

Comments

Leon Romanovsky March 6, 2025, 8:47 a.m. UTC | #1 
On Wed, Mar 05, 2025 at 03:20:41PM +0100, Markus Elfring wrote:
> From: Markus Elfring <elfring@users.sourceforge.net>
> Date: Wed, 5 Mar 2025 15:07:51 +0100
> 
> The implementation of the function “erdma_accept_newconn” contained
> still the statement “new_cep->sock = NULL” after
> the function call “erdma_cep_put(new_cep)”.
> Thus delete an inappropriate reset action.
> 
> Reported-by: Cheng Xu <chengyou@linux.alibaba.com>

Cheng, please resubmit this patch, I'm experiencing the same issues as
Christophe has here https://lore.kernel.org/all/20a1a47c-8906-44e8-92e6-9b3e698b1491@web.de
and it looks like Markus continues do not listen to the feedback.

Thanks
Cheng Xu March 6, 2025, 12:06 p.m. UTC | #2 
On 3/6/25 4:47 PM, Leon Romanovsky wrote:
> On Wed, Mar 05, 2025 at 03:20:41PM +0100, Markus Elfring wrote:
>> From: Markus Elfring <elfring@users.sourceforge.net>
>> Date: Wed, 5 Mar 2025 15:07:51 +0100
>>
>> The implementation of the function “erdma_accept_newconn” contained
>> still the statement “new_cep->sock = NULL” after
>> the function call “erdma_cep_put(new_cep)”.
>> Thus delete an inappropriate reset action.
>>
>> Reported-by: Cheng Xu <chengyou@linux.alibaba.com>
> 
> Cheng, please resubmit this patch, I'm experiencing the same issues as
> Christophe has here https://lore.kernel.org/all/20a1a47c-8906-44e8-92e6-9b3e698b1491@web.de
> and it looks like Markus continues do not listen to the feedback.
> 

Hi Leon,

Sure, I just resubmitted the patch, please review and apply.

Thanks,
Cheng Xu

> Thanks
diff mbox series

Patch

diff --git a/drivers/infiniband/hw/erdma/erdma_cm.c b/drivers/infiniband/hw/erdma/erdma_cm.c
index 1b23c698ec25..e0acc185e719 100644
--- a/drivers/infiniband/hw/erdma/erdma_cm.c
+++ b/drivers/infiniband/hw/erdma/erdma_cm.c
@@ -709,7 +709,6 @@  static void erdma_accept_newconn(struct erdma_cep *cep)
 		erdma_cancel_mpatimer(new_cep);

 		erdma_cep_put(new_cep);
-		new_cep->sock = NULL;
 	}

 	if (new_s) {