korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-19 09:04:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
79b60ca83b
linux/drivers/infiniband/sw/rxe
History
Pavel Skripkin 84b01721e8 RDMA: Fix use-after-free in rxe_queue_cleanup 
On error handling path in rxe_qp_from_init() qp->sq.queue is freed and
then rxe_create_qp() will drop last reference to this object. qp clean up
function will try to free this queue one time and it causes UAF bug.

Fix it by zeroing queue pointer after freeing queue in rxe_qp_from_init().

Fixes: 514aee660d ("RDMA: Globally allocate and release QP memory")
Link: https://lore.kernel.org/r/20211121202239.3129-1-paskripkin@gmail.com
Reported-by: syzbot+aab53008a5adf26abe91@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Zhu Yanjun <zyjzyj2000@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2021-11-25 13:15:59 -04:00
..
Kconfig RDMA/rxe: Fix missing kconfig dependency on CRYPTO 2021-03-01 14:46:31 -04:00
Makefile RDMA/rxe: Add ib_alloc_mw and ib_dealloc_mw verbs 2021-06-16 20:51:17 -03:00
rxe_av.c RDMA/rxe: Lookup kernel AH from ah index in UD WQEs 2021-10-12 13:25:26 -03:00
rxe_comp.c RDMA/rxe: Set partial attributes when completion status != IBV_WC_SUCCESS 2021-10-06 19:45:30 -03:00
rxe_cq.c RDMA/rxe: Change the is_user member of struct rxe_cq to bool 2021-10-06 19:45:30 -03:00
rxe_hdr.h RDMA/rxe: Remove unused pkt->offset 2021-02-16 14:42:59 -04:00
rxe_hw_counters.c RDMA/counter: Add a descriptor in struct rdma_hw_stats 2021-10-12 12:48:04 -03:00
rxe_hw_counters.h RDMA: Split the alloc_hw_stats() ops to port and device variants 2021-06-16 20:58:29 -03:00
rxe_icrc.c RDMA/rxe: Fix types in rxe_icrc.c 2021-07-16 12:43:35 -03:00
rxe_loc.h RDMA/rxe: Create duplicate mapping tables for FMRs 2021-09-24 10:15:00 -03:00
rxe_mcast.c RDMA/rxe: Fix memory allocation while in a spin lock 2021-08-19 20:11:16 -03:00
rxe_mmap.c RDMA/rxe: Add SPDX hdrs to rxe source files 2020-08-31 12:20:02 -03:00
rxe_mr.c RDMA/rxe: Only allow invalidate for appropriate MRs 2021-09-24 10:15:00 -03:00
rxe_mw.c RDMA/rxe: Create duplicate mapping tables for FMRs 2021-09-24 10:15:00 -03:00
rxe_net.c Merge branch 'sg_nents' into rdma.git for-next 2021-08-30 09:49:59 -03:00
rxe_net.h RDMA/rxe: Add SPDX hdrs to rxe source files 2020-08-31 12:20:02 -03:00
rxe_opcode.c RDMA/rxe: Add support for bind MW work requests 2021-06-16 20:51:18 -03:00
rxe_opcode.h RDMA/rxe: Remove unused WR_READ_WRITE_OR_SEND_MASK 2021-09-28 11:42:24 -03:00
rxe_param.h RDMA/rxe: Change AH objects to indexed 2021-10-12 13:25:26 -03:00
rxe_pool.c RDMA/rxe: Make rxe_type_info static const 2021-10-28 08:58:27 -03:00
rxe_pool.h RDMA/rxe: Make rxe_type_info static const 2021-10-28 08:58:27 -03:00
rxe_qp.c RDMA: Fix use-after-free in rxe_queue_cleanup 2021-11-25 13:15:59 -04:00
rxe_queue.c RDMA/rxe: Add memory barriers to kernel queues 2021-09-24 10:14:59 -03:00
rxe_queue.h RDMA/rxe: Add memory barriers to kernel queues 2021-09-24 10:14:59 -03:00
rxe_recv.c RDMA/rxe: Move ICRC checking to a subroutine 2021-07-16 12:43:33 -03:00
rxe_req.c RDMA/rxe: Lookup kernel AH from ah index in UD WQEs 2021-10-12 13:25:26 -03:00
rxe_resp.c RDMA/rxe: Remove duplicate settings 2021-10-06 19:45:30 -03:00
rxe_srq.c RDMA/rxe: Remove the is_user members of struct rxe_sq/rxe_rq/rxe_srq 2021-10-06 19:45:29 -03:00
rxe_sysfs.c Merge branch 'mlx5_active_speed' into rdma.git for-next 2020-09-18 10:31:45 -03:00
rxe_task.c RDMA/rxe: Convert tasklets to use new tasklet_setup() API 2020-09-03 12:01:53 -03:00
rxe_task.h RDMA/rxe: Convert tasklets to use new tasklet_setup() API 2020-09-03 12:01:53 -03:00
rxe_verbs.c RDMA/rxe: Convert kernel UD post send to use ah_num 2021-10-12 13:25:27 -03:00
rxe_verbs.h RDMA/rxe: Replace ah->pd by ah->ibah.pd 2021-10-12 13:25:26 -03:00
rxe.c RDMA/rxe: Enable MW object pool 2021-06-16 20:51:17 -03:00
rxe.h RDMA/rxe: Move crc32 init code to rxe_icrc.c 2021-07-16 12:43:34 -03:00