Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fd8b48b2 authored by Dan Carpenter's avatar Dan Carpenter Committed by Roland Dreier
Browse files

IB/iser: Fix use after free in iser_snd_completion() 



We use "tx_desc" again after we free it.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
parent 7d9eacf9

drivers/infiniband/ulp/iser/iser_initiator.c

+2 −1
Original line number Diff line number Diff line
@@ -610,11 +610,12 @@ void iser_snd_completion(struct iser_tx_desc *tx_desc, 
		ib_dma_unmap_single(device->ib_device, tx_desc->dma_addr,

					ISER_HEADERS_LEN, DMA_TO_DEVICE);

		kmem_cache_free(ig.desc_cache, tx_desc);

		tx_desc = NULL;

	}



	atomic_dec(&ib_conn->post_send_buf_count);



	if (tx_desc->type == ISCSI_TX_CONTROL) {

	if (tx_desc && tx_desc->type == ISCSI_TX_CONTROL) {

		/* this arithmetic is legal by libiscsi dd_data allocation */

		task = (void *) ((long)(void *)tx_desc -

				  sizeof(struct iscsi_task));