net/smc: fix potential UAF in smc_pnet_add_ib

[PATCH net 0/2] net/smc: fix potential UAF in smc_pnet_add_ib

Li Xiasong posted 2 patches 1 week, 1 day ago

Download series mbox

net/smc/smc_pnet.c | 121 ++++++++++++++++++++++++++++-----------------
1 file changed, 75 insertions(+), 46 deletions(-)

Expand all Fold all

[PATCH net 0/2] net/smc: fix potential UAF in smc_pnet_add_ib

Posted by Li Xiasong 1 week, 1 day ago

This series fixes potential use-after-free issues in smc_pnet_add_ib()
where the device pointer could be freed between find and apply operations.

The race occurs because smc_pnet_find_ib() and smc_pnet_find_smcd()
release the mutex before returning the device pointer. If the device is
removed (e.g., via smc_ib_remove_dev() or smcd_unregister_dev()) before
smc_pnet_apply_ib() or smc_pnet_apply_smcd() is called, the freed
pointer will be accessed.

Patch 1 fixes the issue for ib device, and patch 2 fixes the same issue
for smcd device.

Li Xiasong (2):
  net/smc: fix potential UAF in smc_pnet_add_ib for ib device
  net/smc: fix potential UAF in smc_pnet_add_ib for smcd device

 net/smc/smc_pnet.c | 121 ++++++++++++++++++++++++++++-----------------
 1 file changed, 75 insertions(+), 46 deletions(-)

-- 
2.34.1