From 354ba39cf96e439149541acf3c6c7c0df0a3ef25 Mon Sep 17 00:00:00 2001 From: John Kingman Date: Fri, 9 Sep 2005 18:23:32 -0700 Subject: [PATCH] IB CM: support CM redir Changes to CM to support CM and port redirection (REJ reason 24). Signed-off-by: John Kingman storagegear.com> Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier --- drivers/infiniband/core/cm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/infiniband/core/cm.c') diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c index 4de93ba274a..96136543aa4 100644 --- a/drivers/infiniband/core/cm.c +++ b/drivers/infiniband/core/cm.c @@ -173,7 +173,8 @@ static int cm_alloc_msg(struct cm_id_private *cm_id_priv, if (IS_ERR(ah)) return PTR_ERR(ah); - m = ib_create_send_mad(mad_agent, 1, cm_id_priv->av.pkey_index, + m = ib_create_send_mad(mad_agent, cm_id_priv->id.remote_cm_qpn, + cm_id_priv->av.pkey_index, ah, 0, sizeof(struct ib_mad_hdr), sizeof(struct ib_mad)-sizeof(struct ib_mad_hdr), GFP_ATOMIC); @@ -536,6 +537,7 @@ struct ib_cm_id *ib_create_cm_id(ib_cm_handler cm_handler, cm_id_priv->id.state = IB_CM_IDLE; cm_id_priv->id.cm_handler = cm_handler; cm_id_priv->id.context = context; + cm_id_priv->id.remote_cm_qpn = 1; ret = cm_alloc_id(cm_id_priv); if (ret) goto error; -- cgit v1.2.3 From 1b205c2d2464bfecbba80227e74b412596dc5521 Mon Sep 17 00:00:00 2001 From: Roland Dreier Date: Fri, 9 Sep 2005 20:52:00 -0700 Subject: [PATCH] IB: fix CM use-after-free If the CM REQ handling function gets to error2, then it frees cm_id_priv->timewait_info. But the next line goes through ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(), which ends up calling cm_cleanup_timewait(), which dereferences the pointer we just freed. Make sure we clear cm_id_priv->timewait_info after freeing it, so that doesn't happen. Signed-off-by: Roland Dreier --- drivers/infiniband/core/cm.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/infiniband/core/cm.c') diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c index 96136543aa4..54db6d4831f 100644 --- a/drivers/infiniband/core/cm.c +++ b/drivers/infiniband/core/cm.c @@ -1315,6 +1315,7 @@ error3: atomic_dec(&cm_id_priv->refcount); cm_deref_id(listen_cm_id_priv); cm_cleanup_timewait(cm_id_priv->timewait_info); error2: kfree(cm_id_priv->timewait_info); + cm_id_priv->timewait_info = NULL; error1: ib_destroy_cm_id(&cm_id_priv->id); return ret; } -- cgit v1.2.3