Commit 3c4fef9c authored by Bernard Metzler's avatar Bernard Metzler Committed by Greg Kroah-Hartman

RDMA/iwcm: Fix iwcm work deallocation

commit 810dbc69 upstream.

The dealloc_work_entries() function must update the work_free_list pointer
while freeing its entries, since potentially called again on same list. A
second iteration of the work list caused system crash. This happens, if
work allocation fails during cma_iw_listen() and free_cm_id() tries to
free the list again during cleanup.

Fixes: 922a8e9f ("RDMA: iWARP Connection Manager.")
Link: https://lore.kernel.org/r/20200302181614.17042-1-bmt@zurich.ibm.com
Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com
Signed-off-by: default avatarBernard Metzler <bmt@zurich.ibm.com>
Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 28881f90
...@@ -137,8 +137,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv) ...@@ -137,8 +137,10 @@ static void dealloc_work_entries(struct iwcm_id_private *cm_id_priv)
{ {
struct list_head *e, *tmp; struct list_head *e, *tmp;
list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) {
list_del(e);
kfree(list_entry(e, struct iwcm_work, free_list)); kfree(list_entry(e, struct iwcm_work, free_list));
}
} }
static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count) static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment