From 5d33595e99f34815e438c42471b0c306892f1978 Mon Sep 17 00:00:00 2001 From: Nicolas Morey Date: Mar 19 2024 14:14:41 +0000 Subject: RDMA/srpt: Do not register event handler until srpt device is fully setup (git-fixes) --- diff --git a/patches.suse/RDMA-srpt-Do-not-register-event-handler-until-srpt-d.patch b/patches.suse/RDMA-srpt-Do-not-register-event-handler-until-srpt-d.patch new file mode 100644 index 0000000..f4e67b9 --- /dev/null +++ b/patches.suse/RDMA-srpt-Do-not-register-event-handler-until-srpt-d.patch @@ -0,0 +1,60 @@ +From c21a8870c98611e8f892511825c9607f1e2cd456 Mon Sep 17 00:00:00 2001 +From: William Kucharski +Date: Fri, 2 Feb 2024 02:15:49 -0700 +Subject: [PATCH 1/1] RDMA/srpt: Do not register event handler until srpt + device is fully setup +Git-commit: c21a8870c98611e8f892511825c9607f1e2cd456 +Patch-mainline: v6.9-rc1 +References: git-fixes + +Upon rare occasions, KASAN reports a use-after-free Write +in srpt_refresh_port(). + +This seems to be because an event handler is registered before the +srpt device is fully setup and a race condition upon error may leave a +partially setup event handler in place. + +Instead, only register the event handler after srpt device initialization +is complete. + +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: William Kucharski +Link: https://lore.kernel.org/r/20240202091549.991784-2-william.kucharski@oracle.com +Reviewed-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Acked-by: Nicolas Morey +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 58f70cfec45a..d35f021f154b 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -3204,7 +3204,6 @@ static int srpt_add_one(struct ib_device *device) + + INIT_IB_EVENT_HANDLER(&sdev->event_handler, sdev->device, + srpt_event_handler); +- ib_register_event_handler(&sdev->event_handler); + + for (i = 1; i <= sdev->device->phys_port_cnt; i++) { + sport = &sdev->port[i - 1]; +@@ -3227,6 +3226,7 @@ static int srpt_add_one(struct ib_device *device) + } + } + ++ ib_register_event_handler(&sdev->event_handler); + spin_lock(&srpt_dev_lock); + list_add_tail(&sdev->list, &srpt_dev_list); + spin_unlock(&srpt_dev_lock); +@@ -3237,7 +3237,6 @@ static int srpt_add_one(struct ib_device *device) + + err_port: + srpt_unregister_mad_agent(sdev, i); +- ib_unregister_event_handler(&sdev->event_handler); + err_cm: + if (sdev->cm_id) + ib_destroy_cm_id(sdev->cm_id); +-- +2.39.1.1.gbe015eda0162 + diff --git a/series.conf b/series.conf index 04b1abf..cc396f7 100644 --- a/series.conf +++ b/series.conf @@ -45681,6 +45681,7 @@ patches.suse/nilfs2-fix-failure-to-detect-DAT-corruption-in-btree.patch patches.suse/nilfs2-prevent-kernel-bug-at-submit_bh_wbc.patch patches.suse/RDMA-irdma-Remove-duplicate-assignment.patch + patches.suse/RDMA-srpt-Do-not-register-event-handler-until-srpt-d.patch # jejb/scsi for-next patches.suse/scsi-lpfc-Initialize-status-local-variable-in-lpfc_s.patch