Resolving use-after-free in ib_nl_send_msg

From: Divya Indi
Date: Thu May 07 2020 - 14:35:04 EST

Next message: Divya Indi: "[PATCH 1/2] IB/sa: Resolving use-after-free in ib_nl_send_msg."
Previous message: Gustavo A. R. Silva: "[PATCH] cfg80211: Replace zero-length array with flexible-array"
Next in thread: Divya Indi: "[PATCH 1/2] IB/sa: Resolving use-after-free in ib_nl_send_msg."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[PATCH] IB/sa: Resolving use-after-free in ib_nl_send_msg.

Hi,

This patch is in reply to -

https://lkml.org/lkml/2020/4/24/1076

We have a use-after-free possibility in the ibacm code path -
when the timer(ib_nl_request_timeout) kicks in before ib_nl_snd_msg
has completed sending the query out to ibacm via netlink. The timeout
handler ie ib_nl_request_timeout may result in releasing the query while
ib_nl_snd_msg is still accessing query.

Since the issue appears to be specific to the ibacm code path, we are
trying to resolve it for the life cycle of sa_query in the ibacm code path.

Please review the proposed fix ie the patch that follows.

Would appreciate your thoughts and feedback on the same.

Let me know if you have any questions!

Thanks,
Divya

Next message: Divya Indi: "[PATCH 1/2] IB/sa: Resolving use-after-free in ib_nl_send_msg."
Previous message: Gustavo A. R. Silva: "[PATCH] cfg80211: Replace zero-length array with flexible-array"
Next in thread: Divya Indi: "[PATCH 1/2] IB/sa: Resolving use-after-free in ib_nl_send_msg."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]