Commit 1b205c2d authored Sep 09, 2005 by Roland Dreier Committed by Roland Dreier Sep 09, 2005

[PATCH] IB: fix CM use-after-free



If the CM REQ handling function gets to error2, then it frees
cm_id_priv->timewait_info.  But the next line goes through
ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
which ends up calling cm_cleanup_timewait(), which dereferences the
pointer we just freed.  Make sure we clear cm_id_priv->timewait_info
after freeing it, so that doesn't happen.

Signed-off-by: Roland Dreier <rolandd@cisco.com>

parent 354ba39c

drivers/infiniband/core/cm.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1315,6 +1315,7 @@ error3: atomic_dec(&cm_id_priv->refcount);
	cm_deref_id(listen_cm_id_priv);		cm_deref_id(listen_cm_id_priv);
	cm_cleanup_timewait(cm_id_priv->timewait_info);		cm_cleanup_timewait(cm_id_priv->timewait_info);
	error2: kfree(cm_id_priv->timewait_info);		error2: kfree(cm_id_priv->timewait_info);
			cm_id_priv->timewait_info = NULL;
	error1: ib_destroy_cm_id(&cm_id_priv->id);		error1: ib_destroy_cm_id(&cm_id_priv->id);
	return ret;		return ret;
	}		}