tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[PATCH] IB: fix CM use-after-free

If the CM REQ handling function gets to error2, then it frees
cm_id_priv->timewait_info. But the next line goes through
ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
which ends up calling cm_cleanup_timewait(), which dereferences the
pointer we just freed. Make sure we clear cm_id_priv->timewait_info
after freeing it, so that doesn't happen.

Signed-off-by: Roland Dreier <rolandd@cisco.com>

authored by

Roland Dreier and committed by
Roland Dreier 1b205c2d 354ba39c

+1
unified split
+1
drivers/infiniband/core/cm.c
··· 1315 1315 cm_deref_id(listen_cm_id_priv); 1316 1316 cm_cleanup_timewait(cm_id_priv->timewait_info); 1317 1317 error2: kfree(cm_id_priv->timewait_info); 1318 + cm_id_priv->timewait_info = NULL; 1318 1319 error1: ib_destroy_cm_id(&cm_id_priv->id); 1319 1320 return ret; 1320 1321 }