546481c281
When a new CM connection is being requested, ipoib driver copies data
from the path pointer in the CM/tx object, the path object might be
invalid at the point and memory corruption will happened later when now
the CM driver will try using that data.
The next scenario demonstrates it:
neigh_add_path --> ipoib_cm_create_tx -->
queue_work (pointer to path is in the cm/tx struct)
#while the work is still in the queue,
#the port goes down and causes the ipoib_flush_paths:
ipoib_flush_paths --> path_free --> kfree(path)
#at this point the work scheduled starts.
ipoib_cm_tx_start --> copy from the (invalid)path pointer:
(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
-> memory corruption.
To fix that the driver now starts the CM/tx connection only if that
specific path exists in the general paths database.
This check is protected with the relevant locks, and uses the gid from
the neigh member in the CM/tx object which is valid according to the ref
count that was taken by the CM/tx.
Fixes:
|
||
|---|---|---|
| .. | ||
| ipoib_cm.c | ||
| ipoib_ethtool.c | ||
| ipoib_fs.c | ||
| ipoib_ib.c | ||
| ipoib_main.c | ||
| ipoib_multicast.c | ||
| ipoib_netlink.c | ||
| ipoib_verbs.c | ||
| ipoib_vlan.c | ||
| ipoib.h | ||
| Kconfig | ||
| Makefile | ||