From: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Erez Shitrit <erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: [PATCH rdma-rc 1/9] IB/core: Fix use after free in send_leave function
Date: Sun, 28 Aug 2016 10:58:30 +0300 [thread overview]
Message-ID: <1472371118-8260-2-git-send-email-leon@kernel.org> (raw)
In-Reply-To: <1472371118-8260-1-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
From: Erez Shitrit <erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.
Additionally, this patch gets rid of group->query_id variable which is
not used.
Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
---
drivers/infiniband/core/multicast.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c
index 3a3c5d7..51c79b2 100644
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -106,7 +106,6 @@ struct mcast_group {
atomic_t refcount;
enum mcast_group_state state;
struct ib_sa_query *query;
- int query_id;
u16 pkey_index;
u8 leave_state;
int retries;
@@ -340,11 +339,7 @@ static int send_join(struct mcast_group *group, struct mcast_member *member)
member->multicast.comp_mask,
3000, GFP_KERNEL, join_handler, group,
&group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static int send_leave(struct mcast_group *group, u8 leave_state)
@@ -364,11 +359,7 @@ static int send_leave(struct mcast_group *group, u8 leave_state)
IB_SA_MCMEMBER_REC_JOIN_STATE,
3000, GFP_KERNEL, leave_handler,
group, &group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static void join_group(struct mcast_group *group, struct mcast_member *member,
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-08-28 7:58 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-28 7:58 [PATCH rdma-rc 0/9] RDMA fixes for 4.8 Leon Romanovsky
[not found] ` <1472371118-8260-1-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 7:58 ` Leon Romanovsky [this message]
2016-08-28 7:58 ` [PATCH rdma-rc 2/9] IB/ipoib: Fix memory corruption during ipoib cm connection establishment Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 3/9] Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one" Leon Romanovsky
[not found] ` <1472371118-8260-4-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 8:09 ` Yuval Shaia
2016-08-28 8:32 ` Leon Romanovsky
2016-08-28 17:17 ` Jason Gunthorpe
[not found] ` <20160828171758.GA11719-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-28 18:26 ` Leon Romanovsky
[not found] ` <20160828182613.GP594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-28 18:27 ` Leon Romanovsky
2016-08-28 18:28 ` Jason Gunthorpe
[not found] ` <20160828182813.GB12783-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-28 18:35 ` Leon Romanovsky
[not found] ` <20160828183500.GQ594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-28 18:39 ` Jason Gunthorpe
2016-09-02 18:03 ` Doug Ledford
[not found] ` <aa325795-a120-6dee-a102-6aaa903be617-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-09-04 6:14 ` Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 4/9] IB/mlx4: Don't return errors from poll_cq Leon Romanovsky
[not found] ` <1472371118-8260-5-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 16:05 ` Sagi Grimberg
[not found] ` <82f1a1be-1189-c8c6-b134-d2f582cc7fa0-NQWnxTmZq1alnMjI0IkVqw@public.gmane.org>
2016-08-29 9:41 ` Leon Romanovsky
[not found] ` <20160829094119.GB594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-29 10:04 ` Leon Romanovsky
[not found] ` <20160829100434.GD594-2ukJVAZIZ/Y@public.gmane.org>
2016-09-04 6:17 ` Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 5/9] IB/mlx5: Return EINVAL when caller specifies too many SGEs Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 6/9] IB/mlx5: Simplify code by removing return variable Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 7/9] IB/mlx5: Add VERBOSITY Kconfig option Leon Romanovsky
[not found] ` <1472371118-8260-8-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-09-02 17:52 ` Doug Ledford
[not found] ` <55889fa6-51c0-fcf6-7684-9712b82212d6-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-09-04 8:26 ` Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 8/9] IB/mlx5: Use TIR number based on selector Leon Romanovsky
[not found] ` <1472371118-8260-9-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 15:47 ` Sagi Grimberg
2016-08-28 7:58 ` [PATCH rdma-rc 9/9] IB/mlx5: Don't return errors from poll_cq Leon Romanovsky
2016-09-02 18:13 ` [PATCH rdma-rc 0/9] RDMA fixes for 4.8 Doug Ledford
[not found] ` <d5eff78f-0014-e748-11c9-888c70542391-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-09-04 8:27 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472371118-8260-2-git-send-email-leon@kernel.org \
--to=leon-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.