WSL2-Linux-Kernel

История

Bart Van Assche 557d035fe8 RDMA/iwcm: Fix a use-after-free related to destroying CM IDs commit aee2424246f9f1dadc33faa78990c1e2eb7826e4 upstream. iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by only freeing of the struct rdma_id_private after all pending work has finished. Cc: stable@vger.kernel.org Fixes: `59c68ac31e` ("iw_cm: free cm_id resources on the last deref") Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev> Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Link: https://lore.kernel.org/r/20240605145117.397751-6-bvanassche@acm.org Signed-off-by: Leon Romanovsky <leon@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2024-08-19 05:45:20 +02:00
..
Makefile	…
addr.c	…
agent.c	…
agent.h	…
cache.c	RDMA/cache: Release GID table even if leak is detected	2024-08-19 05:45:04 +02:00
cgroup.c	…
cm.c	RDMA/cm: Print the old state when cm_destroy_id gets timeout	2024-04-27 17:05:25 +02:00
cm_msgs.h	…
cm_trace.c	…
cm_trace.h	trace: Relocate event helper files	2024-04-10 16:19:24 +02:00
cma.c	RDMA/cma: Initialize ib_sa_multicast structure to 0 when join	2023-10-10 21:59:09 +02:00
cma_configfs.c	RDMA/cma: Fix truncation compilation warning in make_cma_ports	2023-10-10 21:59:09 +02:00
cma_priv.h	…
cma_trace.c	…
cma_trace.h	trace: Relocate event helper files	2024-04-10 16:19:24 +02:00
core_priv.h	…
counters.c	…
cq.c	…
device.c	RDMA/device: Return error earlier if port in not valid	2024-08-19 05:45:05 +02:00
ib_core_uverbs.c	…
iwcm.c	RDMA/iwcm: Fix a use-after-free related to destroying CM IDs	2024-08-19 05:45:20 +02:00
iwcm.h	…
iwpm_msg.c	…
iwpm_util.c	…
iwpm_util.h	…
lag.c	…
mad.c	IB/mad: Don't call to function that might sleep while in atomic context	2022-12-31 13:14:23 +01:00
mad_priv.h	…
mad_rmpp.c	…
mad_rmpp.h	…
mr_pool.c	…
multicast.c	…
netlink.c	…
nldev.c	RDMA/core: Require admin capabilities to set system parameters	2023-10-10 21:59:08 +02:00
opa_smi.h	…
packer.c	…
rdma_core.c	…
rdma_core.h	…
restrack.c	RDMA/restrack: Fix potential invalid address access	2024-07-05 09:14:43 +02:00
restrack.h	…
roce_gid_mgmt.c	…
rw.c	…
sa.h	…
sa_query.c	RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()	2023-11-20 11:08:22 +01:00
security.c	…
smi.c	…
smi.h	…
sysfs.c	RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()	2023-11-20 11:08:22 +01:00
trace.c	…
ucma.c	…
ud_header.c	…
umem.c	RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz	2023-12-13 18:36:40 +01:00
umem_dmabuf.c	…
umem_odp.c	…
user_mad.c	IB/core: Implement a limit on UMAD receive List	2024-07-18 13:07:26 +02:00
uverbs.h	…
uverbs_cmd.c	RDMA/uverbs: Restrict usage of privileged QKEYs	2023-06-21 15:59:15 +02:00
uverbs_ioctl.c	…
uverbs_main.c	RDMA/uverbs: Fix typo of sizeof argument	2023-10-10 21:59:09 +02:00
uverbs_marshall.c	…
uverbs_std_types.c	…
uverbs_std_types_async_fd.c	…
uverbs_std_types_counters.c	IB/uverbs: Fix an potential error pointer dereference	2023-09-19 12:22:46 +02:00
uverbs_std_types_cq.c	…
uverbs_std_types_device.c	…
uverbs_std_types_dm.c	…
uverbs_std_types_flow_action.c	…
uverbs_std_types_mr.c	…
uverbs_std_types_qp.c	…
uverbs_std_types_srq.c	…
uverbs_std_types_wq.c	…
uverbs_uapi.c	…
verbs.c	RDMA/core: Fix GID entry ref leak when create_ah fails	2023-04-20 12:13:53 +02:00