[PATCH 2.6.25] RDMA/IWCM: don't access the cm_id after dereferencing it.

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Steve Wise <swise@...>

To: <rdreier@...>, <sean.hefty@...>

Cc: <linux-kernel@...>, <netdev@...>, <general@...>

Subject: [PATCH 2.6.25] RDMA/IWCM: don't access the cm_id after dereferencing it.

Date: Tuesday, March 4, 2008 - 6:44 pm

RDMA/IWCM: don't access the cm_id after dereferencing it.

cm_work_handler() can access cm_id_priv after it was potentially freed
by iwch_deref_id().  The fix is to note whether IWCM_F_CALLBACK_DESTROY
is set before dereferencing.  Then if it was set, free the cm_id on
this thread.

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
---

 drivers/infiniband/core/iwcm.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
index 223b1aa..81c9195 100644
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -839,6 +839,7 @@ static void cm_work_handler(struct work_struct *_work)
 	unsigned long flags;
 	int empty;
 	int ret = 0;
+	int destroy_id;
 
 	spin_lock_irqsave(&cm_id_priv->lock, flags);
 	empty = list_empty(&cm_id_priv->work_list);
@@ -857,9 +858,9 @@ static void cm_work_handler(struct work_struct *_work)
 			destroy_cm_id(&cm_id_priv->id);
 		}
 		BUG_ON(atomic_read(&cm_id_priv->refcount)==0);
+		destroy_id = test_bit(IWCM_F_CALLBACK_DESTROY, &cm_id_priv->flags);
 		if (iwcm_deref_id(cm_id_priv)) {
-			if (test_bit(IWCM_F_CALLBACK_DESTROY,
-				     &cm_id_priv->flags)) {
+			if (destroy_id) {
 				BUG_ON(!list_empty(&cm_id_priv->work_list));
 				free_cm_id(cm_id_priv);
 			}
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH 2.6.25] RDMA/IWCM: don't access the cm_id after deref..., Steve Wise, (Tue Mar 4, 6:44 pm)

Re: [PATCH 2.6.25] RDMA/IWCM: don't access the cm_id after d..., Roland Dreier, (Tue Mar 11, 12:23 am)


linux-kernel:
Linus Torvalds	Linux 2.6.27-rc8
Andi Kleen	[PATCH x86] [2/16] Add a counter for per cpu clocksource watchdog checks and repor...
David Miller	Slow DOWN, please!!!
Greg KH	Re: [Patch v2] Make PCI extended config space (MMCONFIG) a driver opt-in
git:
Jeff King	Re: [PATCH] Color support added to git-add--interactive.
Yann Dirson	Re: irc usage..
Peter Stahlir	Git as a filesystem
Junio C Hamano	Re: [PATCH 3/3] Teach "git branch" about --new-workdir
openbsd-misc:
new_guy	Code signing in OpenBSD
Jason Dixon	Wasting our Freedom
Nick Guenther	Re: Real men don't attack straw men
Daniel Ouellet	identifying sparse files and get ride of them trick available?
linux-netdev:
Wolfgang Walter	Re: Kernel oops with 2.6.26, padlock and ipsec: probably problem with fpu state ch...
KOSAKI Motohiro	[bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
Tomasz Grobelny	[PATCH 0/5] [DCCP]: Queuing policies
Arjan van de Ven	Re: [GIT]: Networking


high memory	8 hours ago	Linux kernel
semaphore access speed	10 hours ago	Applications and Utilities
the kernel how to power off the machine	11 hours ago	Linux kernel
Easter Eggs in windows XP	14 hours ago	Windows
Shared swap partition	15 hours ago	Linux general
Root password	15 hours ago	Linux general
Where/when DNOTIFY is used?	17 hours ago	Linux kernel
How to convert Linux Kernel built-in module into a loadable module	20 hours ago	Linux kernel
Linux 2.6.24 and I/O schedulers	20 hours ago	Linux kernel
USB Driver -- Interrupt Polling -- A Little Help Please	1 day ago	Linux general

[PATCH 2.6.25] RDMA/IWCM: don't access the cm_id after dereferencing it.

Online users