* [PATCH net-next 0/1] smc: fix potential use after free @ 2017-01-30 9:55 Ursula Braun 2017-01-30 9:55 ` [PATCH net-next 1/1] smc: some potential use after free bugs Ursula Braun 0 siblings, 1 reply; 3+ messages in thread From: Ursula Braun @ 2017-01-30 9:55 UTC (permalink / raw) To: davem Cc: netdev, linux-s390, schwidefsky, heiko.carstens, ubraun, dan.carpenter From: Ursula Braun <ursula.braun@de.ibm.com> Hi Dave, please add Dan's fix for the smc-code. Thanks, Dan and Dave! Regards, Ursula Braun Dan Carpenter (1): smc: Reset rx/tx buffer descriptor in case of errors net/smc/smc_core.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.8.4 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH net-next 1/1] smc: some potential use after free bugs 2017-01-30 9:55 [PATCH net-next 0/1] smc: fix potential use after free Ursula Braun @ 2017-01-30 9:55 ` Ursula Braun 2017-01-30 21:38 ` David Miller 0 siblings, 1 reply; 3+ messages in thread From: Ursula Braun @ 2017-01-30 9:55 UTC (permalink / raw) To: davem Cc: netdev, linux-s390, schwidefsky, heiko.carstens, ubraun, dan.carpenter From: Dan Carpenter <dan.carpenter@oracle.com> Say we got really unlucky and these failed on the last iteration, then it could lead to a use after free bug. Fixes: cd6851f30386 ("smc: remote memory buffers (RMBs)") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com> --- net/smc/smc_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 8b1d343..0eac633 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -532,6 +532,7 @@ int smc_sndbuf_create(struct smc_sock *smc) __GFP_NORETRY); if (!sndbuf_desc->cpu_addr) { kfree(sndbuf_desc); + sndbuf_desc = NULL; /* if send buffer allocation has failed, * try a smaller one */ @@ -543,6 +544,7 @@ int smc_sndbuf_create(struct smc_sock *smc) if (rc) { kfree(sndbuf_desc->cpu_addr); kfree(sndbuf_desc); + sndbuf_desc = NULL; continue; /* if mapping failed, try smaller one */ } sndbuf_desc->used = 1; @@ -596,6 +598,7 @@ int smc_rmb_create(struct smc_sock *smc) __GFP_NORETRY); if (!rmb_desc->cpu_addr) { kfree(rmb_desc); + rmb_desc = NULL; /* if RMB allocation has failed, * try a smaller one */ @@ -607,6 +610,7 @@ int smc_rmb_create(struct smc_sock *smc) if (rc) { kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; /* if mapping failed, try smaller one */ } rc = smc_ib_get_memory_region(lgr->lnk[SMC_SINGLE_LINK].roce_pd, @@ -619,6 +623,7 @@ int smc_rmb_create(struct smc_sock *smc) DMA_FROM_DEVICE); kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; } rmb_desc->used = 1; -- 2.8.4 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net-next 1/1] smc: some potential use after free bugs 2017-01-30 9:55 ` [PATCH net-next 1/1] smc: some potential use after free bugs Ursula Braun @ 2017-01-30 21:38 ` David Miller 0 siblings, 0 replies; 3+ messages in thread From: David Miller @ 2017-01-30 21:38 UTC (permalink / raw) To: ubraun; +Cc: netdev, linux-s390, schwidefsky, heiko.carstens, dan.carpenter From: Ursula Braun <ubraun@linux.vnet.ibm.com> Date: Mon, 30 Jan 2017 10:55:04 +0100 > From: Dan Carpenter <dan.carpenter@oracle.com> > > Say we got really unlucky and these failed on the last iteration, then > it could lead to a use after free bug. > > Fixes: cd6851f30386 ("smc: remote memory buffers (RMBs)") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com> Applied, thank you. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-01-30 21:38 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-01-30 9:55 [PATCH net-next 0/1] smc: fix potential use after free Ursula Braun 2017-01-30 9:55 ` [PATCH net-next 1/1] smc: some potential use after free bugs Ursula Braun 2017-01-30 21:38 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox