IB/core: Fix use after free in send_leave function - user/sven/linux.git

diff options

author	Erez Shitrit <erezsh@mellanox.com>	2016-08-28 10:58:30 +0300
committer	Ben Hutchings <ben@decadent.org.uk>	2016-11-20 01:17:21 +0000
commit	44caa356b906a3de1faf18192b0067070afe260f (patch)
tree	a42c847ca437b040fd1d5f5f621b81b8c7a9bb3f /include/linux
parent	05554fc33e11692136b1f70629e6819ff3dc93c7 (diff)

IB/core: Fix use after free in send_leave function

commit 68c6bcdd8bd00394c234b915ab9b97c74104130c upstream. The function send_leave sets the member: group->query_id (group->query_id = ret) after calling the sa_query, but leave_handler can be executed before the setting and it might delete the group object, and will get a memory corruption. Additionally, this patch gets rid of group->query_id variable which is not used. Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests') Signed-off-by: Erez Shitrit <erezsh@mellanox.com> Signed-off-by: Leon Romanovsky <leon@kernel.org> Signed-off-by: Doug Ledford <dledford@redhat.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Diffstat (limited to 'include/linux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: