From: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Erez Shitrit <erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: [PATCH rdma-rc 1/9] IB/core: Fix use after free in send_leave function
Date: Sun, 28 Aug 2016 10:58:30 +0300 [thread overview]
Message-ID: <1472371118-8260-2-git-send-email-leon@kernel.org> (raw)
In-Reply-To: <1472371118-8260-1-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
From: Erez Shitrit <erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.
Additionally, this patch gets rid of group->query_id variable which is
not used.
Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
---
drivers/infiniband/core/multicast.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c
index 3a3c5d7..51c79b2 100644
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -106,7 +106,6 @@ struct mcast_group {
atomic_t refcount;
enum mcast_group_state state;
struct ib_sa_query *query;
- int query_id;
u16 pkey_index;
u8 leave_state;
int retries;
@@ -340,11 +339,7 @@ static int send_join(struct mcast_group *group, struct mcast_member *member)
member->multicast.comp_mask,
3000, GFP_KERNEL, join_handler, group,
&group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static int send_leave(struct mcast_group *group, u8 leave_state)
@@ -364,11 +359,7 @@ static int send_leave(struct mcast_group *group, u8 leave_state)
IB_SA_MCMEMBER_REC_JOIN_STATE,
3000, GFP_KERNEL, leave_handler,
group, &group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static void join_group(struct mcast_group *group, struct mcast_member *member,
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-08-28 7:58 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-28 7:58 [PATCH rdma-rc 0/9] RDMA fixes for 4.8 Leon Romanovsky
[not found] ` <1472371118-8260-1-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 7:58 ` Leon Romanovsky [this message]
2016-08-28 7:58 ` [PATCH rdma-rc 2/9] IB/ipoib: Fix memory corruption during ipoib cm connection establishment Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 3/9] Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one" Leon Romanovsky
[not found] ` <1472371118-8260-4-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 8:09 ` Yuval Shaia
2016-08-28 8:32 ` Leon Romanovsky
2016-08-28 17:17 ` Jason Gunthorpe
[not found] ` <20160828171758.GA11719-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-28 18:26 ` Leon Romanovsky
[not found] ` <20160828182613.GP594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-28 18:27 ` Leon Romanovsky
2016-08-28 18:28 ` Jason Gunthorpe
[not found] ` <20160828182813.GB12783-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-08-28 18:35 ` Leon Romanovsky
[not found] ` <20160828183500.GQ594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-28 18:39 ` Jason Gunthorpe
2016-09-02 18:03 ` Doug Ledford
[not found] ` <aa325795-a120-6dee-a102-6aaa903be617-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-09-04 6:14 ` Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 4/9] IB/mlx4: Don't return errors from poll_cq Leon Romanovsky
[not found] ` <1472371118-8260-5-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 16:05 ` Sagi Grimberg
[not found] ` <82f1a1be-1189-c8c6-b134-d2f582cc7fa0-NQWnxTmZq1alnMjI0IkVqw@public.gmane.org>
2016-08-29 9:41 ` Leon Romanovsky
[not found] ` <20160829094119.GB594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-29 10:04 ` Leon Romanovsky
[not found] ` <20160829100434.GD594-2ukJVAZIZ/Y@public.gmane.org>
2016-09-04 6:17 ` Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 5/9] IB/mlx5: Return EINVAL when caller specifies too many SGEs Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 6/9] IB/mlx5: Simplify code by removing return variable Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 7/9] IB/mlx5: Add VERBOSITY Kconfig option Leon Romanovsky
[not found] ` <1472371118-8260-8-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-09-02 17:52 ` Doug Ledford
[not found] ` <55889fa6-51c0-fcf6-7684-9712b82212d6-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-09-04 8:26 ` Leon Romanovsky
2016-08-28 7:58 ` [PATCH rdma-rc 8/9] IB/mlx5: Use TIR number based on selector Leon Romanovsky
[not found] ` <1472371118-8260-9-git-send-email-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2016-08-28 15:47 ` Sagi Grimberg
2016-08-28 7:58 ` [PATCH rdma-rc 9/9] IB/mlx5: Don't return errors from poll_cq Leon Romanovsky
2016-09-02 18:13 ` [PATCH rdma-rc 0/9] RDMA fixes for 4.8 Doug Ledford
[not found] ` <d5eff78f-0014-e748-11c9-888c70542391-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-09-04 8:27 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472371118-8260-2-git-send-email-leon@kernel.org \
--to=leon-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=erezsh-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).