Message ID | 20190611150808.2877.90221.stgit@manet.1015granger.net (mailing list archive) |
---|---|
State | New, archived |
Headers | show
Return-Path: <linux-nfs-owner@kernel.org> Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 513FA14E5 for <patchwork-linux-nfs@patchwork.kernel.org>; Tue, 11 Jun 2019 15:08:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 42F6A284BD for <patchwork-linux-nfs@patchwork.kernel.org>; Tue, 11 Jun 2019 15:08:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 36F9D2843C; Tue, 11 Jun 2019 15:08:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E926028414 for <patchwork-linux-nfs@patchwork.kernel.org>; Tue, 11 Jun 2019 15:08:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390926AbfFKPIL (ORCPT <rfc822;patchwork-linux-nfs@patchwork.kernel.org>); Tue, 11 Jun 2019 11:08:11 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:35996 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391648AbfFKPIL (ORCPT <rfc822;linux-nfs@vger.kernel.org>); Tue, 11 Jun 2019 11:08:11 -0400 Received: by mail-io1-f66.google.com with SMTP id h6so10195742ioh.3; Tue, 11 Jun 2019 08:08:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:from:to:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=to3mUAty1JalteouLQzDvBtpnJX/PiznlXHIlSo5tHE=; b=AMifTe6jgf8POrXtrV+PV8sA+N1SPCGFGgpuVVR6P5QNrcQnCYCAOcS0zyrg2qxZCr DKLiM5v76xlEyDhw12xKkHebfIC9Nxmz8f2Y+X947MNmFlgkpegE/L9BAVUec2IoUONu m1lAwn4SPHajNVSTICVAxUNhQnKE6RwPPvtojKZQdih0/8g2ySOdi1o/wHxTQxUVICOT ymwuln3QtkyD5qnLQPPPkKvWXGTPqVTPDkrXexv/TGFKVz9v325gwdsAoJ+M1BU1G5d1 T87v0wTgNNv6K2cmdwbPpzhRaoh8hzLwEOvWs/m9tBqS3+EdrP+O07glaU/O8vGH4ZJk sllg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:from:to:date:message-id :in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=to3mUAty1JalteouLQzDvBtpnJX/PiznlXHIlSo5tHE=; b=MrCHBU9M0K1iG5n53bTnrZz7P60P6OR3rlp63NhFhuc7YmNowXI88C79SuslhWn1Yk 6pSCO8WECw9A+QISKgqhT6rytRJqR7/9IZ/d2nAiXklsPUNoiqstKVPib14H87HEbAka 3LoRApDsL+IsI0dXjOwtve3aoqONv4qr/sTD4nK58HsEBmQIshZlXwjpU9c6fGxSLXAk 2/7hbOLuNd4jzh7071OfVa77kuAGhcnohDd4Faeg1wC2rz2jKTy/AZkwQ/naZKPZQ2VM IfhVzDHaQCb+3ujZ7Kk0be7/ON5SlcipmowOqkkV9JrnuH1XDcj5Xc5nYZl3sHbyKObn RZVQ== X-Gm-Message-State: APjAAAU9ojGfIwP7UhSfIIiORv9MmyMIMKihj11axNwgyv175IJByD3c lNv5B+4YMRV4oZCZ0FCryLg4R+Nk X-Google-Smtp-Source: APXvYqy3L0oDn0CLuPCmCg2tXHM5mwgYGkU98aWmcuCuckoOVwZu6M+fEn4xhH5yCgtOUnd+Az6H6A== X-Received: by 2002:a5e:db0a:: with SMTP id q10mr2313061iop.168.1560265690121; Tue, 11 Jun 2019 08:08:10 -0700 (PDT) Received: from gateway.1015granger.net (c-68-61-232-219.hsd1.mi.comcast.net. [68.61.232.219]) by smtp.gmail.com with ESMTPSA id h190sm1281313ita.22.2019.06.11.08.08.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jun 2019 08:08:09 -0700 (PDT) Received: from manet.1015granger.net (manet.1015granger.net [192.168.1.51]) by gateway.1015granger.net (8.14.7/8.14.7) with ESMTP id x5BF88Nx021731; Tue, 11 Jun 2019 15:08:08 GMT Subject: [PATCH v2 02/19] xprtrdma: Fix use-after-free in rpcrdma_post_recvs From: Chuck Lever <chuck.lever@oracle.com> To: linux-rdma@vger.kernel.org, linux-nfs@vger.kernel.org Date: Tue, 11 Jun 2019 11:08:08 -0400 Message-ID: <20190611150808.2877.90221.stgit@manet.1015granger.net> In-Reply-To: <20190611150445.2877.8656.stgit@manet.1015granger.net> References: <20190611150445.2877.8656.stgit@manet.1015granger.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: <linux-nfs.vger.kernel.org> X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP |
Series |
for-5.3 patches for review
|
expand
|
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c index 84bb379..e71315e 100644 --- a/net/sunrpc/xprtrdma/verbs.c +++ b/net/sunrpc/xprtrdma/verbs.c @@ -1553,10 +1553,11 @@ static void rpcrdma_regbuf_free(struct rpcrdma_regbuf *rb) rc = ib_post_recv(r_xprt->rx_ia.ri_id->qp, wr, (const struct ib_recv_wr **)&bad_wr); if (rc) { - for (wr = bad_wr; wr; wr = wr->next) { + for (wr = bad_wr; wr;) { struct rpcrdma_rep *rep; rep = container_of(wr, struct rpcrdma_rep, rr_recv_wr); + wr = wr->next; rpcrdma_recv_buffer_put(rep); --count; }
Dereference wr->next /before/ the memory backing wr has been released. This issue was found by code inspection. It is not expected to be a significant problem because it is in an error path that is almost never executed. Fixes: 7c8d9e7c8863 ("xprtrdma: Move Receive posting to ... ") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- net/sunrpc/xprtrdma/verbs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)