| From 810dbc69087b08fd53e1cdd6c709f385bc2921ad Mon Sep 17 00:00:00 2001 |
| From: Bernard Metzler <bmt@zurich.ibm.com> |
| Date: Mon, 2 Mar 2020 19:16:14 +0100 |
| Subject: RDMA/iwcm: Fix iwcm work deallocation |
| |
| From: Bernard Metzler <bmt@zurich.ibm.com> |
| |
| commit 810dbc69087b08fd53e1cdd6c709f385bc2921ad upstream. |
| |
| The dealloc_work_entries() function must update the work_free_list pointer |
| while freeing its entries, since potentially called again on same list. A |
| second iteration of the work list caused system crash. This happens, if |
| work allocation fails during cma_iw_listen() and free_cm_id() tries to |
| free the list again during cleanup. |
| |
| Fixes: 922a8e9fb2e0 ("RDMA: iWARP Connection Manager.") |
| Link: https://lore.kernel.org/r/20200302181614.17042-1-bmt@zurich.ibm.com |
| Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com |
| Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com> |
| Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> |
| Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/infiniband/core/iwcm.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/infiniband/core/iwcm.c |
| +++ b/drivers/infiniband/core/iwcm.c |
| @@ -159,8 +159,10 @@ static void dealloc_work_entries(struct |
| { |
| struct list_head *e, *tmp; |
| |
| - list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) |
| + list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) { |
| + list_del(e); |
| kfree(list_entry(e, struct iwcm_work, free_list)); |
| + } |
| } |
| |
| static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count) |
