[openib-general] [Fwd: [PATCH] RDMA/iwcm: Memory corruption bug in cm_work_handler]

Steve WIse Thu, 09 Nov 2006 14:48:03 -0800

Roland, this fix looks good to me. I don't think it is high severity, so
perhaps it can just go into 2.6.20.


Krishna, for future patches, please include netdev@vger.kernel.org since
this code is now in linux proper.  The module in svn is no longer being
maintained in svn...


Acked-by: Steve Wise <[EMAIL PROTECTED]>


-------- Forwarded Message --------
From: Krishna Kumar <[EMAIL PROTECTED]>
To: openib-general@openib.org
Subject: [openib-general] [PATCH] RDMA/iwcm: Memory corruption bug in
cm_work_handler
Date: Thu, 09 Nov 2006 09:30:34 +0530

Possible memory corruption scenario : after putting the work
entry back on the work_free_list, we call process_event()
which dereferences work->event, which could have been
modified to another value meanwhile.

Patches against 2.6.19-rc4 bits.

Signed-off-by: Krishna Kumar <[EMAIL PROTECTED]>
---
diff -ruNp org/drivers/infiniband/core/iwcm.c new/drivers/infiniband/core/iwcm.c
--- org/drivers/infiniband/core/iwcm.c  2006-10-09 16:40:04.000000000 +0530
+++ new/drivers/infiniband/core/iwcm.c  2006-10-09 16:52:03.000000000 +0530
@@ -830,7 +830,8 @@ static int process_event(struct iwcm_id_
  */
 static void cm_work_handler(void *arg)
 {
-       struct iwcm_work *work = arg, lwork;
+       struct iwcm_work *work = arg;
+       struct iw_cm_event levent;
        struct iwcm_id_private *cm_id_priv = work->cm_id;
        unsigned long flags;
        int empty;
@@ -843,11 +844,11 @@ static void cm_work_handler(void *arg)
                                  struct iwcm_work, list);
                list_del_init(&work->list);
                empty = list_empty(&cm_id_priv->work_list);
-               lwork = *work;
+               levent = work->event;
                put_work(work);
                spin_unlock_irqrestore(&cm_id_priv->lock, flags);
 
-               ret = process_event(cm_id_priv, &work->event);
+               ret = process_event(cm_id_priv, &levent);
                if (ret) {
                        set_bit(IWCM_F_CALLBACK_DESTROY, &cm_id_priv->flags);
                        destroy_cm_id(&cm_id_priv->id);

_______________________________________________
openib-general mailing list
openib-general@openib.org
http://openib.org/mailman/listinfo/openib-general

To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general



_______________________________________________
openib-general mailing list
openib-general@openib.org
http://openib.org/mailman/listinfo/openib-general

To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general

[openib-general] [Fwd: [PATCH] RDMA/iwcm: Memory corruption bug in cm_work_handler]

Reply via email to