Upon occasion, KASAN testing would report a use-after-free Write in srpt_refresh_port(). In the course of trying to diagnose this, I noticed that the code in srpt_add_one() registers an event handler for the srpt device and then initializes the ports on the device. If any portion of the device port initialization fails, it removes the registration for the event handler in the error leg. This felt like a race condition, where an event handler was registered before the device ports were fully initialized. While I can't definitively say this was the issue - this change may just modify timing to mask the real issue - when modified to not register the event handler until all of the device ports are intialized, the issue no longer reproduces in KASAN. Changelog: v2: * Added Fixes tag William Kucharski (1): RDMA/srpt: Do not register event handler until srpt device is fully setup drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 2.39.3 Upon occasion, KASAN testing would report a use-after-free Write in srpt_refresh_port(). In the course of trying to diagnose this, I noticed that the code in srpt_add_one() registers an event handler for the srpt device and then initializes the ports on the device. If any portion of the device port initialization fails, it removes the registration for the event handler in the error leg. This felt like a race condition, where an event handler was registered before the device ports were fully initialized. While I can't definitively say this was the issue - this change may just modify timing to mask the real issue - when modified to not register the event handler until all of the device ports are intialized, the issue no longer reproduces in KASAN. I'm submitting this patch if only so those better acquainted with the details of this procedure can analyze whether this was an actual issue or just intellectual uncomfortableness with the code. William Kucharski (1): Upon rare occasions, KASAN reports a use-after-free Write in srpt_refresh_port(). drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 2.43.0
