diff options
author | Karsten Graul <kgraul@linux.ibm.com> | 2020-07-18 15:06:17 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2020-07-19 15:30:23 -0700 |
commit | fd7f3a746582e8b17c48d4d8087d38c91f59ba67 (patch) | |
tree | 8819d5305359b89f27a46c976c47695c3a31f369 /net | |
parent | 741a49a4dc5fd7e61b37b259dde915083c2c5327 (diff) | |
download | linux-fd7f3a746582e8b17c48d4d8087d38c91f59ba67.tar.gz linux-fd7f3a746582e8b17c48d4d8087d38c91f59ba67.tar.bz2 linux-fd7f3a746582e8b17c48d4d8087d38c91f59ba67.zip |
net/smc: remove freed buffer from list
Two buffers are allocated for each SMC connection. Each buffer is
added to a buffer list after creation. When the second buffer
allocation fails, the first buffer is freed but not deleted from
the list. This might result in crashes when another connection picks
up the freed buffer later and starts to work with it.
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Fixes: 6511aad3f039 ("net/smc: change smc_buf_free function parameters")
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/smc/smc_core.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 42ba227f3e97..ca3dc6af73af 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -1772,8 +1772,12 @@ int smc_buf_create(struct smc_sock *smc, bool is_smcd) return rc; /* create rmb */ rc = __smc_buf_create(smc, is_smcd, true); - if (rc) + if (rc) { + mutex_lock(&smc->conn.lgr->sndbufs_lock); + list_del(&smc->conn.sndbuf_desc->list); + mutex_unlock(&smc->conn.lgr->sndbufs_lock); smc_buf_free(smc->conn.lgr, false, smc->conn.sndbuf_desc); + } return rc; } |