[openib-general] [Fwd: [PATCH] RDMA/iwcm: Memory corruption bug in cm_work_handler]
Steve WIse
swise at opengridcomputing.com
Thu Nov 9 14:46:49 PST 2006
Roland, this fix looks good to me. I don't think it is high severity, so
perhaps it can just go into 2.6.20.
Krishna, for future patches, please include netdev at vger.kernel.org since
this code is now in linux proper. The module in svn is no longer being
maintained in svn...
Acked-by: Steve Wise <swise at opengridcomputing.com>
-------- Forwarded Message --------
From: Krishna Kumar <krkumar2 at in.ibm.com>
To: openib-general at openib.org
Subject: [openib-general] [PATCH] RDMA/iwcm: Memory corruption bug in
cm_work_handler
Date: Thu, 09 Nov 2006 09:30:34 +0530
Possible memory corruption scenario : after putting the work
entry back on the work_free_list, we call process_event()
which dereferences work->event, which could have been
modified to another value meanwhile.
Patches against 2.6.19-rc4 bits.
Signed-off-by: Krishna Kumar <krkumar2 at in.ibm.com>
---
diff -ruNp org/drivers/infiniband/core/iwcm.c new/drivers/infiniband/core/iwcm.c
--- org/drivers/infiniband/core/iwcm.c 2006-10-09 16:40:04.000000000 +0530
+++ new/drivers/infiniband/core/iwcm.c 2006-10-09 16:52:03.000000000 +0530
@@ -830,7 +830,8 @@ static int process_event(struct iwcm_id_
*/
static void cm_work_handler(void *arg)
{
- struct iwcm_work *work = arg, lwork;
+ struct iwcm_work *work = arg;
+ struct iw_cm_event levent;
struct iwcm_id_private *cm_id_priv = work->cm_id;
unsigned long flags;
int empty;
@@ -843,11 +844,11 @@ static void cm_work_handler(void *arg)
struct iwcm_work, list);
list_del_init(&work->list);
empty = list_empty(&cm_id_priv->work_list);
- lwork = *work;
+ levent = work->event;
put_work(work);
spin_unlock_irqrestore(&cm_id_priv->lock, flags);
- ret = process_event(cm_id_priv, &work->event);
+ ret = process_event(cm_id_priv, &levent);
if (ret) {
set_bit(IWCM_F_CALLBACK_DESTROY, &cm_id_priv->flags);
destroy_cm_id(&cm_id_priv->id);
_______________________________________________
openib-general mailing list
openib-general at openib.org
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
More information about the general
mailing list