]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7844932)
RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
authorCheng Xu <chengyou@linux.alibaba.com>
Thu, 6 Mar 2025 12:04:40 +0000 (20:04 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 10 Apr 2025 12:33:34 +0000 (14:33 +0200)
[ Upstream commit 83437689249e6a17b25e27712fbee292e42e7855 ]

After the erdma_cep_put(new_cep) being called, new_cep will be freed,
and the following dereference will cause a UAF problem. Fix this issue.

Fixes: 920d93eac8b9 ("RDMA/erdma: Add connection management (CM) support")
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/infiniband/hw/erdma/erdma_cm.c patch | blob | blame | history

diff --git a/drivers/infiniband/hw/erdma/erdma_cm.c b/drivers/infiniband/hw/erdma/erdma_cm.c
index 74f6348f240ac424109f6de509779a5a0b23569d..1156ae62c4683191286f3a6c6e910c9a3c0a1ea3 100644 (file)
--- a/drivers/infiniband/hw/erdma/erdma_cm.c
+++ b/drivers/infiniband/hw/erdma/erdma_cm.c
@@ -704,7 +704,6 @@ error:
                erdma_cancel_mpatimer(new_cep);
 
                erdma_cep_put(new_cep);
-               new_cep->sock = NULL;
        }
 
        if (new_s) {
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git