| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200302181614.17042-1-bmt@zurich.ibm.com>
Date: Mon, 2 Mar 2020 19:16:14 +0100
From: Bernard Metzler <bmt@...ich.ibm.com>
To: jgg@...pe.ca, dledford@...hat.com, kamalheib1@...il.com,
krishna2@...lsio.com, linux-kernel@...r.kernel.org,
linux-rdma@...r.kernel.org, syzkaller-bugs@...glegroups.com
Cc: Bernard Metzler <bmt@...ich.ibm.com>
Subject: [PATCH for-rc] RDMA/iwcm: Fix iwcm work deallocation
The dealloc_work_entries() function must update the
work_free_list pointer while freeing its entries, since
potentially called again on same list. A second iteration
of the work list caused system crash. This happens, if
work allocation fails during cma_iw_listen() and
free_cm_id() tries to free the list again during cleanup.
Reported-by: syzbot+cb0c054eabfba4342146@...kaller.appspotmail.com
Signed-off-by: Bernard Metzler <bmt@...ich.ibm.com>
---
drivers/infiniband/core/iwcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
index ade71823370f..da8adadf4755 100644
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -159,8 +159,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)
{
struct list_head *e, *tmp;
- list_for_each_safe(e, tmp, &cm_id_priv->work_free_list)
+ list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
+ list_del(e);
kfree(list_entry(e, struct iwcm_work, free_list));
+ }
}
static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)
--
2.17.2
Powered by blists - more mailing lists