[PATCH] RDMA/rtrs: Fix use-after-free in path files cleanup
From: Guangshuo Li
Date: Tue Apr 28 2026 - 07:15:04 EST
Once kobject_put() is called on srv_path->kobj, the release callback may
be triggered and srv_path may be freed. Therefore, srv_path must not be
dereferenced after kobject_put(&srv_path->kobj).
However, both rtrs_srv_create_path_files() and
rtrs_srv_destroy_path_files() call
rtrs_srv_destroy_once_sysfs_root_folders() after
kobject_put(&srv_path->kobj). The helper dereferences srv_path to get
srv_path->srv, which can lead to a use-after-free.
Fix this by calling the sysfs root folder cleanup helper before
kobject_put(&srv_path->kobj), so srv_path is still valid when the helper
accesses it.
This issue was found by a static analysis tool I am developing.
Fixes: ae4c81644e91 ("RDMA/rtrs-srv: Rename rtrs_srv_sess to rtrs_srv_path")
Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
---
drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
index 51727c7d710c..c9ba9d2d0eb3 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c
@@ -295,8 +295,8 @@ int rtrs_srv_create_path_files(struct rtrs_srv_path *srv_path)
put_kobj:
kobject_del(&srv_path->kobj);
destroy_root:
- kobject_put(&srv_path->kobj);
rtrs_srv_destroy_once_sysfs_root_folders(srv_path);
+ kobject_put(&srv_path->kobj);
return err;
}
@@ -312,8 +312,8 @@ void rtrs_srv_destroy_path_files(struct rtrs_srv_path *srv_path)
if (srv_path->kobj.state_in_sysfs) {
sysfs_remove_group(&srv_path->kobj, &rtrs_srv_path_attr_group);
- kobject_put(&srv_path->kobj);
rtrs_srv_destroy_once_sysfs_root_folders(srv_path);
+ kobject_put(&srv_path->kobj);
}
}
--
2.43.0