[openib-general] [PATCH] RDMA/iwcm: Memory corruption bug in cm_work_handler
Krishna Kumar
krkumar2 at in.ibm.com
Wed Nov 8 20:00:34 PST 2006
Possible memory corruption scenario : after putting the work
entry back on the work_free_list, we call process_event()
which dereferences work->event, which could have been
modified to another value meanwhile.
Patches against 2.6.19-rc4 bits.
Signed-off-by: Krishna Kumar <krkumar2 at in.ibm.com>
---
diff -ruNp org/drivers/infiniband/core/iwcm.c new/drivers/infiniband/core/iwcm.c
--- org/drivers/infiniband/core/iwcm.c 2006-10-09 16:40:04.000000000 +0530
+++ new/drivers/infiniband/core/iwcm.c 2006-10-09 16:52:03.000000000 +0530
@@ -830,7 +830,8 @@ static int process_event(struct iwcm_id_
*/
static void cm_work_handler(void *arg)
{
- struct iwcm_work *work = arg, lwork;
+ struct iwcm_work *work = arg;
+ struct iw_cm_event levent;
struct iwcm_id_private *cm_id_priv = work->cm_id;
unsigned long flags;
int empty;
@@ -843,11 +844,11 @@ static void cm_work_handler(void *arg)
struct iwcm_work, list);
list_del_init(&work->list);
empty = list_empty(&cm_id_priv->work_list);
- lwork = *work;
+ levent = work->event;
put_work(work);
spin_unlock_irqrestore(&cm_id_priv->lock, flags);
- ret = process_event(cm_id_priv, &work->event);
+ ret = process_event(cm_id_priv, &levent);
if (ret) {
set_bit(IWCM_F_CALLBACK_DESTROY, &cm_id_priv->flags);
destroy_cm_id(&cm_id_priv->id);
More information about the general
mailing list