From: Chuck Lever <chuck.lever@oracle.com>
To: anna.schumaker@netapp.com
Cc: linux-rdma@vger.kernel.org, linux-nfs@vger.kernel.org
Subject: [PATCH v3 02/19] xprtrdma: Fix use-after-free in rpcrdma_post_recvs
Date: Mon, 17 Jun 2019 11:31:40 -0400 [thread overview]
Message-ID: <20190617153140.12090.57798.stgit@manet.1015granger.net> (raw)
In-Reply-To: <20190617152657.12090.11389.stgit@manet.1015granger.net>
Dereference wr->next /before/ the memory backing wr has been
released. This issue was found by code inspection. It is not
expected to be a significant problem because it is in an error
path that is almost never executed.
Fixes: 7c8d9e7c8863 ("xprtrdma: Move Receive posting to ... ")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
net/sunrpc/xprtrdma/verbs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 84bb379..e71315e 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -1553,10 +1553,11 @@ static void rpcrdma_regbuf_free(struct rpcrdma_regbuf *rb)
rc = ib_post_recv(r_xprt->rx_ia.ri_id->qp, wr,
(const struct ib_recv_wr **)&bad_wr);
if (rc) {
- for (wr = bad_wr; wr; wr = wr->next) {
+ for (wr = bad_wr; wr;) {
struct rpcrdma_rep *rep;
rep = container_of(wr, struct rpcrdma_rep, rr_recv_wr);
+ wr = wr->next;
rpcrdma_recv_buffer_put(rep);
--count;
}
next prev parent reply other threads:[~2019-06-17 15:31 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-17 15:31 [PATCH v3 00/19] for-5.3 patches Chuck Lever
2019-06-17 15:31 ` [PATCH v3 01/19] xprtrdma: Fix a BUG when tracing is enabled with NFSv4.1 on RDMA Chuck Lever
2019-06-17 15:31 ` Chuck Lever [this message]
2019-06-17 15:31 ` [PATCH v3 03/19] xprtrdma: Replace use of xdr_stream_pos in rpcrdma_marshal_req Chuck Lever
2019-06-17 15:31 ` [PATCH v3 04/19] xprtrdma: Fix occasional transport deadlock Chuck Lever
2019-06-17 15:31 ` [PATCH v3 05/19] xprtrdma: Remove the RPCRDMA_REQ_F_PENDING flag Chuck Lever
2019-06-17 15:32 ` [PATCH v3 06/19] xprtrdma: Remove fr_state Chuck Lever
2019-06-17 20:36 ` Chuck Lever
2019-06-17 15:32 ` [PATCH v3 07/19] xprtrdma: Add mechanism to place MRs back on the free list Chuck Lever
2019-06-17 15:32 ` [PATCH v3 08/19] xprtrdma: Reduce context switching due to Local Invalidation Chuck Lever
2019-06-17 15:32 ` [PATCH v3 09/19] xprtrdma: Wake RPCs directly in rpcrdma_wc_send path Chuck Lever
2019-06-17 15:32 ` [PATCH v3 10/19] xprtrdma: Simplify rpcrdma_rep_create Chuck Lever
2019-06-17 15:32 ` [PATCH v3 11/19] xprtrdma: Streamline rpcrdma_post_recvs Chuck Lever
2019-06-17 15:32 ` [PATCH v3 12/19] xprtrdma: Refactor chunk encoding Chuck Lever
2019-06-17 15:32 ` [PATCH v3 13/19] xprtrdma: Remove rpcrdma_req::rl_buffer Chuck Lever
2019-06-17 15:32 ` [PATCH v3 14/19] xprtrdma: Modernize ops->connect Chuck Lever
2019-06-17 15:32 ` [PATCH v3 15/19] NFS4: Add a trace event to record invalid CB sequence IDs Chuck Lever
2019-06-17 15:32 ` [PATCH v3 16/19] NFS: Fix show_nfs_errors macros again Chuck Lever
2019-06-17 15:33 ` [PATCH v3 17/19] NFS: Display symbolic status code names in trace log Chuck Lever
2019-06-17 15:33 ` [PATCH v3 18/19] NFS: Update symbolic flags displayed by trace events Chuck Lever
2019-06-17 15:33 ` [PATCH v3 19/19] NFS: Record task, client ID, and XID in xdr_status trace points Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190617153140.12090.57798.stgit@manet.1015granger.net \
--to=chuck.lever@oracle.com \
--cc=anna.schumaker@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.