• Roland Dreier's avatar
    [PATCH] IB: fix CM use-after-free · 1b205c2d
    Roland Dreier authored
    If the CM REQ handling function gets to error2, then it frees
    cm_id_priv->timewait_info.  But the next line goes through
    ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
    which ends up calling cm_cleanup_timewait(), which dereferences the
    pointer we just freed.  Make sure we clear cm_id_priv->timewait_info
    after freeing it, so that doesn't happen.
    Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
cm.c 93.7 KB