* Patch "IB/core: Fix use after free in send_leave function" has been added to the 4.7-stable tree
@ 2016-10-05 15:39 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-10-05 15:39 UTC (permalink / raw)
To: erezsh, dledford, gregkh, leon; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
IB/core: Fix use after free in send_leave function
to the 4.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ib-core-fix-use-after-free-in-send_leave-function.patch
and it can be found in the queue-4.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 68c6bcdd8bd00394c234b915ab9b97c74104130c Mon Sep 17 00:00:00 2001
From: Erez Shitrit <erezsh@mellanox.com>
Date: Sun, 28 Aug 2016 10:58:30 +0300
Subject: IB/core: Fix use after free in send_leave function
From: Erez Shitrit <erezsh@mellanox.com>
commit 68c6bcdd8bd00394c234b915ab9b97c74104130c upstream.
The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.
Additionally, this patch gets rid of group->query_id variable which is
not used.
Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/multicast.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -118,7 +118,6 @@ struct mcast_group {
atomic_t refcount;
enum mcast_group_state state;
struct ib_sa_query *query;
- int query_id;
u16 pkey_index;
u8 leave_state;
int retries;
@@ -352,11 +351,7 @@ static int send_join(struct mcast_group
member->multicast.comp_mask,
3000, GFP_KERNEL, join_handler, group,
&group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static int send_leave(struct mcast_group *group, u8 leave_state)
@@ -376,11 +371,7 @@ static int send_leave(struct mcast_group
IB_SA_MCMEMBER_REC_JOIN_STATE,
3000, GFP_KERNEL, leave_handler,
group, &group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static void join_group(struct mcast_group *group, struct mcast_member *member,
Patches currently in stable-queue which might be from erezsh@mellanox.com are
queue-4.7/ib-ipoib-fix-memory-corruption-in-ipoib-cm-mode-connect-flow.patch
queue-4.7/ib-core-fix-use-after-free-in-send_leave-function.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-10-05 15:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-05 15:39 Patch "IB/core: Fix use after free in send_leave function" has been added to the 4.7-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).