Google Git
Sign in
android-kvm / linux / 1b205c2d2464bfecbba80227e74b412596dc5521
commit1b205c2d2464bfecbba80227e74b412596dc5521[log] [tgz]
authorRoland Dreier <roland@eddore.topspincom.com>Fri Sep 09 20:52:00 2005 -0700
committerRoland Dreier <rolandd@cisco.com>Fri Sep 09 20:52:00 2005 -0700
tree8c22c14bd8b2c6cde19bd05b5cbbc1c88b64152a
parent354ba39cf96e439149541acf3c6c7c0df0a3ef25 [diff]
[PATCH] IB: fix CM use-after-free

If the CM REQ handling function gets to error2, then it frees
cm_id_priv->timewait_info.  But the next line goes through
ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
which ends up calling cm_cleanup_timewait(), which dereferences the
pointer we just freed.  Make sure we clear cm_id_priv->timewait_info
after freeing it, so that doesn't happen.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
1 file changed
tree: 8c22c14bd8b2c6cde19bd05b5cbbc1c88b64152a
  1. arch/
  2. crypto/
  3. Documentation/
  4. drivers/
  5. fs/
  6. include/
  7. init/
  8. ipc/
  9. kernel/
  10. lib/
  11. mm/
  12. net/
  13. scripts/
  14. security/
  15. sound/
  16. usr/
  17. COPYING
  18. CREDITS
  19. MAINTAINERS
  20. Makefile
  21. README
  22. REPORTING-BUGS