IB/mad: Fix null pointer dereference in local_completions()

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Linux Kernel Mailing List

Subject: IB/mad: Fix null pointer dereference in local_completions()

Date: Thursday, March 26, 2009 - 4:59 pm

Gitweb:     http://git.kernel.org/linus/1d9bc6d648ece77ffb41c5a577eab81fac5ad4de
Commit:     1d9bc6d648ece77ffb41c5a577eab81fac5ad4de
Parent:     7020cb0fe216fdcec246cdc2412614a3190fbb2f
Author:     Ralph Campbell <ralph.campbell@qlogic.com>
AuthorDate: Fri Feb 27 10:34:30 2009 -0800
Committer:  Roland Dreier <rolandd@cisco.com>
CommitDate: Fri Feb 27 10:34:30 2009 -0800

    IB/mad: Fix null pointer dereference in local_completions()
    
    handle_outgoing_dr_smp() can queue a struct ib_mad_local_private
    *local on the mad_agent_priv->local_work work queue with
    local->mad_priv == NULL if device->process_mad() returns
    IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY and
    (!ib_response_mad(&mad_priv->mad.mad) ||
    !mad_agent_priv->agent.recv_handler).
    
    In this case, local_completions() will be called with local->mad_priv
    == NULL. The code does check for this case and skips calling
    recv_mad_agent->agent.recv_handler() but recv == 0 so
    kmem_cache_free() is called with a NULL pointer.
    
    Also, since recv isn't reinitialized each time through the loop, it
    can cause a memory leak if recv should have been zero.
    
    Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
---
 drivers/infiniband/core/mad.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 5c54fc2..735ad4e 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -2356,7 +2356,7 @@ static void local_completions(struct work_struct *work)
 	struct ib_mad_local_private *local;
 	struct ib_mad_agent_private *recv_mad_agent;
 	unsigned long flags;
-	int recv = 0;
+	int free_mad;
 	struct ib_wc wc;
 	struct ib_mad_send_wc mad_send_wc;
 
@@ -2370,14 +2370,15 @@ static void local_completions(struct work_struct *work)
 				   completion_list);
 		list_del(&local->completion_list);
 		spin_unlock_irqrestore(&mad_agent_priv->lock, flags);
+		free_mad = 0;
 		if (local->mad_priv) {
 			recv_mad_agent = local->recv_mad_agent;
 			if (!recv_mad_agent) {
 				printk(KERN_ERR PFX "No receive MAD agent for local completion\n");
+				free_mad = 1;
 				goto local_send_completion;
 			}
 
-			recv = 1;
 			/*
 			 * Defined behavior is to complete response
 			 * before request
@@ -2422,7 +2423,7 @@ local_send_completion:
 
 		spin_lock_irqsave(&mad_agent_priv->lock, flags);
 		atomic_dec(&mad_agent_priv->refcount);
-		if (!recv)
+		if (free_mad)
 			kmem_cache_free(ib_mad_cache, local->mad_priv);
 		kfree(local);
 	}
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

IB/mad: Fix null pointer dereference in local_completions(), Linux Kernel Mailing ..., (Thu Mar 26, 4:59 pm)


linux-kernel:
Mel Gorman	Re: [PATCH 1/4] vmstat: remove zone->lock from walk_zones_in_node
Guenter Roeck	Re: [lm-sensors] Location for thermal drivers
David Woodhouse	Re: RFC: Moving firmware blobs out of the kernel.
Siddha, Suresh B	Re: [PATCH 2.6.21 review I] [11/25] x86: default to physical mode on hotplug CPU k...
Peter Zijlstra	Re: [patch 4/6] mm: merge populate and nopage into fault (fixes nonlinear)
git-commits-head:
Linux Kernel Mailing List	[MIPS] Fix potential latency problem due to non-atomic cpu_wait.
Linux Kernel Mailing List	USB: rename USB_SPEED_VARIABLE to USB_SPEED_WIRELESS
Linux Kernel Mailing List	lib/vsprintf.c: fix bug omitting minus sign of numbers (module_param)
Linux Kernel Mailing List	[Bluetooth] Initiate authentication during connection establishment
Linux Kernel Mailing List	[POWERPC] 4xx: Add ppc40x_defconfig
linux-netdev:
MERCEDES	Your mail id has won 950,000.00 in the MERCEDES Benz Online Promo.for claims send:
David Miller	Re: [PATCH] xen/netfront: do not mark packets of length < MSS as GSO
David Miller	Re: skb_segment() questions
Shan Wei	[RFC PATCH net-next 2/5]IPv6:netfilter: Send an ICMPv6 "Fragment Reassembly Timeou...
Stanislaw Gruszka	[PATCH 1/4] bnx2x: use smp_mb() to keep ordering of read write operations
git:
Nicolas Sebrecht	git-svn died of signal 11 (was "3 failures on test t9100 (svn)")
Junio C Hamano	Re: [PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
Martin Langhoff	Re: [PATCH] GIT commit statistics.
Alexandre Julliard	[PATCH] gitweb: Put back shortlog instead of graphiclog in the project list.
Josh Triplett	[PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
openbsd-misc:
Taisto Qvist XX	Re: AMD GEODE LX-800 just works with kernel from install42.iso and kernelpanics wi...
Nico Meijer	Re: gOS Develop Kit with VIA pc-1 Processor Platform VIA C7-D
Andreas Bihlmaier	Re: jetway board sensors (Fintek F71805F)
admin	Drive a 2009 car from R799p/m
Antti Harri	Re: how to create a sha256 hash