lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20080220005848.GA31955@cs181133002.pp.htv.fi>
Date:	Wed, 20 Feb 2008 02:58:48 +0200
From:	Adrian Bunk <bunk@...nel.org>
To:	flatif@...effect.com, gstreiff@...effect.com
Cc:	general@...ts.openfabrics.org, linux-kernel@...r.kernel.org
Subject: infiniband/hw/nes/nes_cm.c: use-after-free

Spotted by the Coverity checker.

<--  snip  -->

...
static int mini_cm_dec_refcnt_listen(struct nes_cm_core *cm_core,
                struct nes_cm_listener *listener, int free_hanging_nodes)
{
        int ret = 1;
        unsigned long flags;
        spin_lock_irqsave(&cm_core->listen_list_lock, flags);
        if (!atomic_dec_return(&listener->ref_count)) {
                list_del(&listener->list);

                /* decrement our listen node count */
                atomic_dec(&cm_core->listen_node_cnt);

                spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);

                if (listener->nesvnic) {
                        nes_manage_apbvt(listener->nesvnic, listener->loc_port,
                                        PCI_FUNC(listener->nesvnic->nesdev->pcidev->devfn), NES_MANAGE_APBVT_DEL);
                }

                nes_debug(NES_DBG_CM, "destroying listener (%p)\n", listener);

                kfree(listener);     <----------------------------------
                ret = 0;
                cm_listens_destroyed++;
        } else {
                spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
        }
        if (listener) {
                if (atomic_read(&listener->pend_accepts_cnt) > 0)
...                              ^^^^^^^^^^^^^^^^^^^^^^^^^^

<--  snip  -->

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ