Thread (5 messages) 5 messages, 2 authors, 2026-03-29
STALE97d

[PATCH net 0/2] net/smc: fix potential UAF in smc_pnet_add_ib

From: Li Xiasong <hidden>
Date: 2026-03-25 10:40:58
Also in: linux-rdma, linux-s390, lkml

This series fixes potential use-after-free issues in smc_pnet_add_ib()
where the device pointer could be freed between find and apply operations.

The race occurs because smc_pnet_find_ib() and smc_pnet_find_smcd()
release the mutex before returning the device pointer. If the device is
removed (e.g., via smc_ib_remove_dev() or smcd_unregister_dev()) before
smc_pnet_apply_ib() or smc_pnet_apply_smcd() is called, the freed
pointer will be accessed.

Patch 1 fixes the issue for ib device, and patch 2 fixes the same issue
for smcd device.

Li Xiasong (2):
  net/smc: fix potential UAF in smc_pnet_add_ib for ib device
  net/smc: fix potential UAF in smc_pnet_add_ib for smcd device

 net/smc/smc_pnet.c | 121 ++++++++++++++++++++++++++++-----------------
 1 file changed, 75 insertions(+), 46 deletions(-)

-- 
2.34.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help