git.ipfire.org Git - thirdparty/linux.git/commit

author	Chris Mason <clm@meta.com>
	Thu, 4 Jun 2026 17:06:34 +0000 (13:06 -0400)
committer	Anna Schumaker <anna.schumaker@hammerspace.com>
	Wed, 10 Jun 2026 19:47:06 +0000 (15:47 -0400)
commit	bb7caa63e1db22fd03e8dc591b12169e99169dff
tree	aabdfca0cf7e63c45e872277e2026b5a02a45cfd	tree \| snapshot
parent	af9b65b29af341932625c4283dc7a23cdb62688a	commit \| diff

xprtrdma: Initialize re_id before removal registration

rpcrdma_create_id() registers ep->re_rn with the rpcrdma ib_client
before returning the new rdma_cm_id to rpcrdma_ep_create(). However
rpcrdma_ep_create() currently stores that pointer in ep->re_id only
after rpcrdma_create_id() returns.

A local administrator can race an NFS/RDMA mount against RDMA device
removal. If rpcrdma_remove_one() observes the just-registered
notification before rpcrdma_ep_create() assigns ep->re_id,
rpcrdma_ep_removal_done() calls trace_xprtrdma_device_removal(NULL).
The tracepoint dereferences id->device->name and copies
id->route.addr.dst_addr, so the callback can crash the kernel with a
NULL pointer dereference.

Store the rdma_cm_id in ep->re_id immediately before publishing
ep->re_rn. The existing error path still destroys the id directly if
registration fails; ep is then freed by the caller without using
ep->re_id. Remove the later duplicate assignment in rpcrdma_ep_create().

Fixes: 3f4eb9ff9234 ("xprtrdma: Handle device removal outside of the CM event handler")
Assisted-by: kres:openai-gpt-5
Signed-off-by: Chris Mason <clm@meta.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>