From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:56074 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750984AbdJBMAE (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 2 Oct 2017 08:00:04 -0400
Subject: Patch "iw_cxgb4: remove the stid on listen create failure" has been added to the 4.13-stable tree
To: swise@opengridcomputing.com, dledford@redhat.com,
        gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Mon, 02 Oct 2017 14:00:06 +0200
Message-ID: <1506945606211136@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    iw_cxgb4: remove the stid on listen create failure

to the 4.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iw_cxgb4-remove-the-stid-on-listen-create-failure.patch
and it can be found in the queue-4.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From 8b1bbf36b7452c4acb20e91948eaa5e225ea6978 Mon Sep 17 00:00:00 2001
From: Steve Wise <swise@opengridcomputing.com>
Date: Tue, 5 Sep 2017 11:52:34 -0700
Subject: iw_cxgb4: remove the stid on listen create failure

From: Steve Wise <swise@opengridcomputing.com>

commit 8b1bbf36b7452c4acb20e91948eaa5e225ea6978 upstream.

If a listen create fails, then the server tid (stid) is incorrectly left
in the stid idr table, which can cause a touch-after-free if the stid
is looked up and the already freed endpoint is touched.  So make sure
and remove it in the error path.

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/cxgb4/cm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -3463,7 +3463,7 @@ int c4iw_create_listen(struct iw_cm_id *
 		cm_id->provider_data = ep;
 		goto out;
 	}
-
+	remove_handle(ep->com.dev, &ep->com.dev->stid_idr, ep->stid);
 	cxgb4_free_stid(ep->com.dev->rdev.lldi.tids, ep->stid,
 			ep->com.local_addr.ss_family);
 fail2:


Patches currently in stable-queue which might be from swise@opengridcomputing.com are

queue-4.13/iw_cxgb4-drop-listen-destroy-replies-if-no-ep-found.patch
queue-4.13/iw_cxgb4-put-ep-reference-in-pass_accept_req.patch
queue-4.13/iw_cxgb4-remove-the-stid-on-listen-create-failure.patch