Re: [PATCH v3] RDMA/rtrs: Fix use-after-free in path file creation cleanup

Next message: Greg KH: "Re: [PATCH] net: octeon: fix carrier state, null guard, and modernize phy ioctl"
Previous message: Rodrigo Alencar: "Re: [PATCH v6 09/12] iio: dac: ad5686: add helpers to handle powerdown masks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Romanovsky

Date: Sun May 17 2026 - 10:42:18 EST

On Thu, 14 May 2026 19:38:34 +0800, Guangshuo Li wrote:
> In the error path of rtrs_srv_create_path_files(), the sysfs root folders
> may already have been created and srv_path->kobj may already have been
> initialized. If a later step fails, the cleanup currently calls
> kobject_put(&srv_path->kobj) before
> rtrs_srv_destroy_once_sysfs_root_folders(srv_path).
>
> kobject_put() may drop the last reference to srv_path->kobj and invoke the
> release callback, rtrs_srv_release(), which frees srv_path. The following
> call to rtrs_srv_destroy_once_sysfs_root_folders(srv_path) then
> dereferences srv_path internally to access srv_path->srv, resulting in a
> use-after-free.
>
> [...]

Applied, thanks!

[1/1] RDMA/rtrs: Fix use-after-free in path file creation cleanup
https://git.kernel.org/rdma/rdma/c/df07e2abe7e8a1

Best regards,
--
Leon Romanovsky <leon@xxxxxxxxxx>