diff options
| author | Erez Shitrit <erezsh@mellanox.com> | 2016-08-28 03:58:30 -0400 |
|---|---|---|
| committer | Doug Ledford <dledford@redhat.com> | 2016-09-02 14:06:27 -0400 |
| commit | 68c6bcdd8bd00394c234b915ab9b97c74104130c (patch) | |
| tree | ba48101e224393e9481e965e5e103dc36ff6958a | |
| parent | 656aacea6c90ce8e15c2bdef4f89b74b73e2e34a (diff) | |
IB/core: Fix use after free in send_leave function
The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.
Additionally, this patch gets rid of group->query_id variable which is
not used.
Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
| -rw-r--r-- | drivers/infiniband/core/multicast.c | 13 |
1 files changed, 2 insertions, 11 deletions
diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c index 3a3c5d73bbfc..51c79b2fb0b8 100644 --- a/drivers/infiniband/core/multicast.c +++ b/drivers/infiniband/core/multicast.c | |||
| @@ -106,7 +106,6 @@ struct mcast_group { | |||
| 106 | atomic_t refcount; | 106 | atomic_t refcount; |
| 107 | enum mcast_group_state state; | 107 | enum mcast_group_state state; |
| 108 | struct ib_sa_query *query; | 108 | struct ib_sa_query *query; |
| 109 | int query_id; | ||
| 110 | u16 pkey_index; | 109 | u16 pkey_index; |
| 111 | u8 leave_state; | 110 | u8 leave_state; |
| 112 | int retries; | 111 | int retries; |
| @@ -340,11 +339,7 @@ static int send_join(struct mcast_group *group, struct mcast_member *member) | |||
| 340 | member->multicast.comp_mask, | 339 | member->multicast.comp_mask, |
| 341 | 3000, GFP_KERNEL, join_handler, group, | 340 | 3000, GFP_KERNEL, join_handler, group, |
| 342 | &group->query); | 341 | &group->query); |
| 343 | if (ret >= 0) { | 342 | return (ret > 0) ? 0 : ret; |
| 344 | group->query_id = ret; | ||
| 345 | ret = 0; | ||
| 346 | } | ||
| 347 | return ret; | ||
| 348 | } | 343 | } |
| 349 | 344 | ||
| 350 | static int send_leave(struct mcast_group *group, u8 leave_state) | 345 | static int send_leave(struct mcast_group *group, u8 leave_state) |
| @@ -364,11 +359,7 @@ static int send_leave(struct mcast_group *group, u8 leave_state) | |||
| 364 | IB_SA_MCMEMBER_REC_JOIN_STATE, | 359 | IB_SA_MCMEMBER_REC_JOIN_STATE, |
| 365 | 3000, GFP_KERNEL, leave_handler, | 360 | 3000, GFP_KERNEL, leave_handler, |
| 366 | group, &group->query); | 361 | group, &group->query); |
| 367 | if (ret >= 0) { | 362 | return (ret > 0) ? 0 : ret; |
| 368 | group->query_id = ret; | ||
| 369 | ret = 0; | ||
| 370 | } | ||
| 371 | return ret; | ||
| 372 | } | 363 | } |
| 373 | 364 | ||
| 374 | static void join_group(struct mcast_group *group, struct mcast_member *member, | 365 | static void join_group(struct mcast_group *group, struct mcast_member *member, |