1. Patchew
  2. linux
  3. View series

[PATCH v3] RDMA/rtrs: Fix use-after-free in path file creation cleanup

Guangshuo Li posted 1 patch 4 weeks, 1 day ago 
drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH v3] RDMA/rtrs: Fix use-after-free in path file creation cleanup
Posted by Guangshuo Li 4 weeks, 1 day ago 
In the error path of rtrs_srv_create_path_files(), the sysfs root folders
may already have been created and srv_path->kobj may already have been
initialized. If a later step fails, the cleanup currently calls
kobject_put(&srv_path->kobj) before
rtrs_srv_destroy_once_sysfs_root_folders(srv_path).

kobject_put() may drop the last reference to srv_path->kobj and invoke the
release callback, rtrs_srv_release(), which frees srv_path. The following
call to rtrs_srv_destroy_once_sysfs_root_folders(srv_path) then
dereferences srv_path internally to access srv_path->srv, resulting in a
use-after-free.

This failure path is reached before rtrs_srv_create_path_files() returns
success, so the successful-path lifetime handling is not involved.

Fix this by destroying the sysfs root folders before calling
kobject_put(&srv_path->kobj), so srv_path is still valid while the helper
accesses it.

This issue was found by a static analysis tool I am developing.

Fixes: ae4c81644e91 ("RDMA/rtrs-srv: Rename rtrs_srv_sess to rtrs_srv_path")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v3:
  - Clarify that the use-after-free is in the
    rtrs_srv_create_path_files() error path.
  - Explain that this path is before the function returns success, so the
    successful-path lifetime handling is not involved.
  - Drop the rtrs_srv_destroy_path_files() change.

v2:
  - Clarify that rtrs_srv_destroy_once_sysfs_root_folders() dereferences
    srv_path internally.
  - No code changes.

 drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
index 51727c7d710c..9dd9141c86a5 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
@@ -295,8 +295,8 @@ int rtrs_srv_create_path_files(struct rtrs_srv_path *srv_path)
 put_kobj:
 	kobject_del(&srv_path->kobj);
 destroy_root:
-	kobject_put(&srv_path->kobj);
 	rtrs_srv_destroy_once_sysfs_root_folders(srv_path);
+	kobject_put(&srv_path->kobj);
 
 	return err;
 }
-- 
2.43.0
Re: [PATCH v3] RDMA/rtrs: Fix use-after-free in path file creation cleanup
Posted by Leon Romanovsky 3 weeks, 4 days ago 
On Thu, 14 May 2026 19:38:34 +0800, Guangshuo Li wrote:
> In the error path of rtrs_srv_create_path_files(), the sysfs root folders
> may already have been created and srv_path->kobj may already have been
> initialized. If a later step fails, the cleanup currently calls
> kobject_put(&srv_path->kobj) before
> rtrs_srv_destroy_once_sysfs_root_folders(srv_path).
> 
> kobject_put() may drop the last reference to srv_path->kobj and invoke the
> release callback, rtrs_srv_release(), which frees srv_path. The following
> call to rtrs_srv_destroy_once_sysfs_root_folders(srv_path) then
> dereferences srv_path internally to access srv_path->srv, resulting in a
> use-after-free.
> 
> [...]

Applied, thanks!

[1/1] RDMA/rtrs: Fix use-after-free in path file creation cleanup
      https://git.kernel.org/rdma/rdma/c/df07e2abe7e8a1

Best regards,
-- 
Leon Romanovsky <leon@kernel.org>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.