On 6/4/24 14:22, Jason Gunthorpe wrote:
From 879ca4e5f9ab8c4ce522b4edc144a3938a2f4afb Mon Sep 17 00:00:00 2001 From: Bart Van Assche <bvanassche@xxxxxxx> Date: Tue, 4 Jun 2024 12:49:44 -0700 Subject: [PATCH] RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by delaing freeing of the struct rdma_id_private until all pending work has finished.I didn't try to look in detail but this certainly makes more sense to me as a possible solution to a UAF Presumably destroy_cm_id() does something to prevent new work from being scheduled?
Yes, it removes the iWARP CM ID from all the data structures that are consulted when an incoming CM packet arrives. Thanks, Bart.
