Re: use-after-free in srpt_enable_tpg()

[Bart Van Assche]

On 7/5/22 04:40, Hillf Danton wrote:
> If no compat devices can be added to ib_device with DEVICE_REGISTERED
> cleared then they can be removed without ib_device's refcount dropping
> to zero.
> Even if that is not strictly true, a new flag that marks ib device
> disabled and prevents new compact devices from being added can be added
> in bid to cut the wait for completion.
>
> Hillf
>
> +++ b/drivers/infiniband/core/device.c
> @@ -1265,6 +1265,7 @@ static void disable_device(struct ib_dev
>   
>   	down_write(&devices_rwsem);
>   	xa_clear_mark(&devices, device->index, DEVICE_REGISTERED);
> +	// device->disabled = true;
>   	up_write(&devices_rwsem);
>   
>   	/*
> @@ -1282,17 +1283,10 @@ static void disable_device(struct ib_dev
>   	}
>   
>   	ib_cq_pool_cleanup(device);
> +	remove_compat_devs(device);
>   
>   	/* Pairs with refcount_set in enable_device */
>   	ib_device_put(device);
> -	wait_for_completion(&device->unreg_completion);
> -
> -	/*
> -	 * compat devices must be removed after device refcount drops to zero.
> -	 * Otherwise init_net() may add more compatdevs after removing compat
> -	 * devices and before device is disabled.
> -	 */
> -	remove_compat_devs(device);
>   }

I'm not convinced the above patch is a step in the right direction nor 
that it is correct. Anyway, since the RDMA maintainers know this code 
better than I do I will let them comment on the above patch.

Bart.