On Wed, Jun 05, 2024 at 08:51:01AM -0600, Bart Van Assche wrote:
> iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with
> an existing struct iw_cm_id (cm_id) as follows:
>
> conn_id->cm_id.iw = cm_id;
> cm_id->context = conn_id;
> cm_id->cm_handler = cma_iw_handler;
>
> rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make
> sure that cm_work_handler() does not trigger a use-after-free by only
> freeing of the struct rdma_id_private after all pending work has finished.
>
> Cc: stable
This is not right way to mark a patch for stable. I added the following
to the commit message and applied the patch:
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref")
There is no clear Fixes tag which I can use, so I used the latest significant
commit that touch that area.
Thanks
> Reviewed-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
> Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx>
> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx>
> ---
> drivers/infiniband/core/iwcm.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
