[PATCH net 0/2] net/smc: fix potential UAF in smc_pnet_add_ib
From: Li Xiasong <hidden>
Date: 2026-03-25 10:40:58
Also in:
linux-rdma, linux-s390, lkml
From: Li Xiasong <hidden>
Date: 2026-03-25 10:40:58
Also in:
linux-rdma, linux-s390, lkml
This series fixes potential use-after-free issues in smc_pnet_add_ib() where the device pointer could be freed between find and apply operations. The race occurs because smc_pnet_find_ib() and smc_pnet_find_smcd() release the mutex before returning the device pointer. If the device is removed (e.g., via smc_ib_remove_dev() or smcd_unregister_dev()) before smc_pnet_apply_ib() or smc_pnet_apply_smcd() is called, the freed pointer will be accessed. Patch 1 fixes the issue for ib device, and patch 2 fixes the same issue for smcd device. Li Xiasong (2): net/smc: fix potential UAF in smc_pnet_add_ib for ib device net/smc: fix potential UAF in smc_pnet_add_ib for smcd device net/smc/smc_pnet.c | 121 ++++++++++++++++++++++++++++----------------- 1 file changed, 75 insertions(+), 46 deletions(-) -- 2.34.1