Re: use-after-free in srpt_enable_tpg()

From: Bart Van Assche
Date: Sat Jul 02 2022 - 18:26:43 EST

Next message: Andy Shevchenko: "[PATCH v1 1/1] ASoC: Intel: catpt: remove duplicating driver data retrieval"
Previous message: syzbot: "Re: [syzbot] INFO: task hung in __input_unregister_device (4)"
Next in thread: Bart Van Assche: "Re: use-after-free in srpt_enable_tpg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/30/22 18:59, Hillf Danton wrote:

That hang can be skipped by removing the wait loop in
srpt_release_sport() - in the direction of 9b64f7d0bb0a, sdev will not
go home if any sport's refcount does not drop on ground. To do that, add
port refcount to sdev in the diff below in bid to resurrect 9b64f7d0bb0a.

Then gc work can be added for dying sports to drop tpg after delaying a second.

I'm afraid that the patch from your email will lead to a use-after-free of sdev->pd. As long as a session is live the ch->qp pointer may be dereferenced. The sdev->pd pointer is stored in the pd member of struct ib_qp and hence may be dereferenced by any function that uses ch->qp.

Thanks,

Bart.

Next message: Andy Shevchenko: "[PATCH v1 1/1] ASoC: Intel: catpt: remove duplicating driver data retrieval"
Previous message: syzbot: "Re: [syzbot] INFO: task hung in __input_unregister_device (4)"
Next in thread: Bart Van Assche: "Re: use-after-free in srpt_enable_tpg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]