On Sat, Jun 03, 2023 at 09:46:20AM +0900, Shin'ichiro Kawasaki wrote: > When rdma_destroy_id() and cma_iw_handler() race, struct rdma_id_private > *id_priv can be destroyed during cma_iw_handler call. This causes "BUG: > KASAN: slab-use-after-free" at mutex_lock() in cma_iw_handler(). > To prevent the destroy of id_priv, keep its reference count by calling > cma_id_get() and cma_id_put() at start and end of cma_iw_handler(). Please add relevant kernel panic to commit message. > > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx Add Fixes line when you are fixing bug. > --- > The BUG KASAN was observed with blktests at test cases nvme/030 or nvme/031, > using SIW transport [1]. To reproduce it, it is required to repeat the test > cases from 30 to 50 times on my test system. > > [1] https://lore.kernel.org/linux-block/rsmmxrchy6voi5qhl4irss5sprna3f5owkqtvybxglcv2pnylm@xmrnpfu3tfpe/ > > drivers/infiniband/core/cma.c | 3 +++ > 1 file changed, 3 insertions(+) The fix looks correct to me. Thanks
