Thanks for the comments.
On Jun 11, 2023 / 16:37, Leon Romanovsky wrote:
> On Sat, Jun 03, 2023 at 09:46:20AM +0900, Shin'ichiro Kawasaki wrote:
> > When rdma_destroy_id() and cma_iw_handler() race, struct rdma_id_private
> > *id_priv can be destroyed during cma_iw_handler call. This causes "BUG:
> > KASAN: slab-use-after-free" at mutex_lock() in cma_iw_handler().
> > To prevent the destroy of id_priv, keep its reference count by calling
> > cma_id_get() and cma_id_put() at start and end of cma_iw_handler().
>
> Please add relevant kernel panic to commit message.
Sure, will do in v2.
>
> >
> > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx
>
> Add Fixes line when you are fixing bug.
I see. I checked commit logs of drivers/infinibad/core/cma.c. It looks the issue
has been existing since the commit de910bd92137 ("RDMA/cma: Simplify locking
needed for serialization of callbacks") in 2008, which modified the method to
guard id_priv. I'll add the Fixes tag with this commit.
>
> > ---
> > The BUG KASAN was observed with blktests at test cases nvme/030 or nvme/031,
> > using SIW transport [1]. To reproduce it, it is required to repeat the test
> > cases from 30 to 50 times on my test system.
> >
> > [1] https://lore.kernel.org/linux-block/rsmmxrchy6voi5qhl4irss5sprna3f5owkqtvybxglcv2pnylm@xmrnpfu3tfpe/
> >
> > drivers/infiniband/core/cma.c | 3 +++
> > 1 file changed, 3 insertions(+)
>
> The fix looks correct to me.
>
> Thanks
