mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-17 03:14:12 +08:00
6e410d8f71
In rx_data(), with the ep in FPDU_MODE, refcnt=2, if we get unexpected streaming data, we call c4iw_modify_rc_qp() and move the qp from RTS -> TERMINATE. In c4iw_modify_rc_qp(), if rdma_fini() returns an error, the ep will be dereferenced (refcnt=1). Then rx_data() calls c4iw_ep_disconnect() which starts the close operation. But if send_halfclose() fails in c4iw_ep_disconnect(), we will call release_ep_resources() derefing the ep which reduces the refcnt to 0 and and frees the ep. However we still has the ep mutex at that point, so we have a touch-after-free bug. There is a similar issue where peer_close() calls c4iw_ep_disconnect(). The solution is to add a reference to the ep in c4iw_ep_disconnect() after acquiring the mutex, and release it after releasing the mutex. Signed-off-by: Steve Wise <swise@opengridcomputing.com> Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> Signed-off-by: Doug Ledford <dledford@redhat.com> |
||
|---|---|---|
| .. | ||
| cxgb3 | ||
| cxgb4 | ||
| i40iw | ||
| mlx4 | ||
| mlx5 | ||
| mthca | ||
| nes | ||
| ocrdma | ||
| qib | ||
| usnic | ||
| Makefile | ||