Re: use-after-free in srpt_enable_tpg()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/30/22 18:59, Hillf Danton wrote:
That hang can be skipped by removing the wait loop in
srpt_release_sport() - in the direction of 9b64f7d0bb0a, sdev will not
go home if any sport's refcount does not drop on ground. To do that, add
port refcount to sdev in the diff below in bid to resurrect 9b64f7d0bb0a.

Then gc work can be added for dying sports to drop tpg after delaying a second.

I'm afraid that the patch from your email will lead to a use-after-free of sdev->pd. As long as a session is live the ch->qp pointer may be dereferenced. The sdev->pd pointer is stored in the pd member of struct ib_qp and hence may be dereferenced by any function that uses ch->qp.

Thanks,

Bart.



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux