q3k
/
linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux/drivers/infiniband/core
History
Ralph Campbell 1d9bc6d648 IB/mad: Fix null pointer dereference in local_completions() 
handle_outgoing_dr_smp() can queue a struct ib_mad_local_private
*local on the mad_agent_priv->local_work work queue with
local->mad_priv == NULL if device->process_mad() returns
IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY and
(!ib_response_mad(&mad_priv->mad.mad) ||
!mad_agent_priv->agent.recv_handler).

In this case, local_completions() will be called with local->mad_priv
== NULL. The code does check for this case and skips calling
recv_mad_agent->agent.recv_handler() but recv == 0 so
kmem_cache_free() is called with a NULL pointer.

Also, since recv isn't reinitialized each time through the loop, it
can cause a memory leak if recv should have been zero.

Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
 		2009-02-27 10:34:30 -08:00
..
Makefile IB/uverbs: Export ib_umem_get()/ib_umem_release() to modules 2007-05-08 18:00:37 -07:00
addr.c RDMA/addr: Fix build breakage when IPv6 is disabled 2008-12-29 23:37:14 -08:00
agent.c IB/mad: agent_send_response() should be void 2007-08-03 10:45:17 -07:00
agent.h RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
cache.c RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
cm.c x86: sysfs: kill owner field from attribute 2008-10-20 08:52:42 -07:00
cm_msgs.h IB/cm: cm_msgs.h should include ib_cm.h 2007-07-10 21:50:53 -07:00
cma.c RDMA/cma: Add IPv6 support 2008-12-24 10:16:45 -08:00
core_priv.h RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
device.c RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
fmr_pool.c RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
iwcm.c RDMA/iwcm: Remove IB_ACCESS_LOCAL_WRITE from remote QP attributes 2008-07-22 14:18:34 -07:00
iwcm.h
mad.c IB/mad: Fix null pointer dereference in local_completions() 2009-02-27 10:34:30 -08:00
mad_priv.h RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
mad_rmpp.c IB/mad: Test ib_create_send_mad() return with IS_ERR(), not == NULL 2008-08-07 14:11:56 -07:00
mad_rmpp.h RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
multicast.c IB/multicast: Report errors on multicast groups if P_key changes 2008-01-25 14:15:29 -08:00
packer.c RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
sa.h IB: Remove garbage non-ASCII characters from comments 2007-07-09 16:17:32 -07:00
sa_query.c IB/sa_query: Check if sm_ah is NULL in ib_sa_remove_one() 2008-07-22 14:18:33 -07:00
smi.c IB/mad: Enhance SMI for switch support 2007-07-09 16:17:32 -07:00
smi.h IB/mad: Enable loopback of DR SMP responses from userspace 2008-01-25 14:15:25 -08:00
sysfs.c infiniband: struct device - replace bus_id with dev_name(), dev_set_name() 2009-01-06 10:44:39 -08:00
ucm.c infiniband: struct device - replace bus_id with dev_name(), dev_set_name() 2009-01-06 10:44:39 -08:00
ucma.c RDMA/ucma: Test ucma_alloc_multicast() return against NULL, not with IS_ERR() 2008-10-10 12:00:19 -07:00
ud_header.c RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
umem.c RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
user_mad.c device create: infiniband: convert device_create_drvdata to device_create 2008-10-16 09:24:42 -07:00
uverbs.h RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
uverbs_cmd.c RDMA/core: Add memory management extensions support 2008-07-14 23:48:45 -07:00
uverbs_main.c saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
uverbs_marshall.c RDMA/cma: Export rdma cm interface to userspace 2006-12-12 11:50:22 -08:00
verbs.c IB/core: Reset to error QP state transition is not allowed 2008-07-14 23:48:46 -07:00