aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoland Dreier <roland@eddore.topspincom.com>2005-09-09 23:52:00 -0400
committerRoland Dreier <rolandd@cisco.com>2005-09-09 23:52:00 -0400
commit1b205c2d2464bfecbba80227e74b412596dc5521 (patch)
tree8c22c14bd8b2c6cde19bd05b5cbbc1c88b64152a
parent354ba39cf96e439149541acf3c6c7c0df0a3ef25 (diff)
[PATCH] IB: fix CM use-after-free
If the CM REQ handling function gets to error2, then it frees cm_id_priv->timewait_info. But the next line goes through ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(), which ends up calling cm_cleanup_timewait(), which dereferences the pointer we just freed. Make sure we clear cm_id_priv->timewait_info after freeing it, so that doesn't happen. Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r--drivers/infiniband/core/cm.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
index 96136543aa4e..54db6d4831f1 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -1315,6 +1315,7 @@ error3: atomic_dec(&cm_id_priv->refcount);
1315 cm_deref_id(listen_cm_id_priv); 1315 cm_deref_id(listen_cm_id_priv);
1316 cm_cleanup_timewait(cm_id_priv->timewait_info); 1316 cm_cleanup_timewait(cm_id_priv->timewait_info);
1317error2: kfree(cm_id_priv->timewait_info); 1317error2: kfree(cm_id_priv->timewait_info);
1318 cm_id_priv->timewait_info = NULL;
1318error1: ib_destroy_cm_id(&cm_id_priv->id); 1319error1: ib_destroy_cm_id(&cm_id_priv->id);
1319 return ret; 1320 return ret;
1320} 1321}