IPoIB: Fix use-after-free in path_rec_completion()
The connected mode code added the possibility that an neigh struct gets freed in the list_for_each_entry() loop in path_rec_completion(), which causes a use-after-free. Fix this by changing to the _safe variant of the list walking macro. This was spotted by the Coverity checker (CID 1567). Signed-off-by: Michael S. Tsirkin <mst@dev.mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
Родитель
73b9e9870f
Коммит
d04d01b113
|
@ -380,7 +380,7 @@ static void path_rec_completion(int status,
|
||||||
struct net_device *dev = path->dev;
|
struct net_device *dev = path->dev;
|
||||||
struct ipoib_dev_priv *priv = netdev_priv(dev);
|
struct ipoib_dev_priv *priv = netdev_priv(dev);
|
||||||
struct ipoib_ah *ah = NULL;
|
struct ipoib_ah *ah = NULL;
|
||||||
struct ipoib_neigh *neigh;
|
struct ipoib_neigh *neigh, *tn;
|
||||||
struct sk_buff_head skqueue;
|
struct sk_buff_head skqueue;
|
||||||
struct sk_buff *skb;
|
struct sk_buff *skb;
|
||||||
unsigned long flags;
|
unsigned long flags;
|
||||||
|
@ -418,7 +418,7 @@ static void path_rec_completion(int status,
|
||||||
while ((skb = __skb_dequeue(&path->queue)))
|
while ((skb = __skb_dequeue(&path->queue)))
|
||||||
__skb_queue_tail(&skqueue, skb);
|
__skb_queue_tail(&skqueue, skb);
|
||||||
|
|
||||||
list_for_each_entry(neigh, &path->neigh_list, list) {
|
list_for_each_entry_safe(neigh, tn, &path->neigh_list, list) {
|
||||||
kref_get(&path->ah->ref);
|
kref_get(&path->ah->ref);
|
||||||
neigh->ah = path->ah;
|
neigh->ah = path->ah;
|
||||||
memcpy(&neigh->dgid.raw, &path->pathrec.dgid.raw,
|
memcpy(&neigh->dgid.raw, &path->pathrec.dgid.raw,
|
||||||
|
|
Загрузка…
Ссылка в новой задаче