]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6843862)
RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
authorCheng Xu <chengyou@linux.alibaba.com>
Thu, 6 Mar 2025 12:04:40 +0000 (20:04 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 10 Apr 2025 12:37:31 +0000 (14:37 +0200)
[ Upstream commit 83437689249e6a17b25e27712fbee292e42e7855 ]

After the erdma_cep_put(new_cep) being called, new_cep will be freed,
and the following dereference will cause a UAF problem. Fix this issue.

Fixes: 920d93eac8b9 ("RDMA/erdma: Add connection management (CM) support")
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/infiniband/hw/erdma/erdma_cm.c patch | blob | blame | history

diff --git a/drivers/infiniband/hw/erdma/erdma_cm.c b/drivers/infiniband/hw/erdma/erdma_cm.c
index 771059a8eb7d7f76eb38652edbce9bfdb5ee89b3..e349e8d2fb50a8383131ab289b2eabf1a8c920f2 100644 (file)
--- a/drivers/infiniband/hw/erdma/erdma_cm.c
+++ b/drivers/infiniband/hw/erdma/erdma_cm.c
@@ -705,7 +705,6 @@ error:
                erdma_cancel_mpatimer(new_cep);
 
                erdma_cep_put(new_cep);
-               new_cep->sock = NULL;
        }
 
        if (new_s) {
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git