[PATCH] IB: fix CM use-after-free

If the CM REQ handling function gets to error2, then it frees cm_id_priv->timewait_info. But the next line goes through ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(), which ends up calling cm_cleanup_timewait(), which dereferences the pointer we just freed. Make sure we clear cm_id_priv->timewait_info after freeing it, so that doesn't happen. Signed-off-by: Roland Dreier <rolandd@cisco.com>
git-mirror · Sep 10, 2005 · 1b205c2 · 1b205c2
1 parent 354ba39
commit 1b205c2
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
@@ -1315,6 +1315,7 @@ error3:	atomic_dec(&cm_id_priv->refcount);
 	cm_deref_id(listen_cm_id_priv);
 	cm_cleanup_timewait(cm_id_priv->timewait_info);
 error2:	kfree(cm_id_priv->timewait_info);
+	cm_id_priv->timewait_info = NULL;
 error1:	ib_destroy_cm_id(&cm_id_priv->id);
 	return ret;
 }