Commit e438bae4 authored by Ursula Braun's avatar Ursula Braun Committed by David S. Miller

net/smc: use after free fix in smc_wr_tx_put_slot()

In smc_wr_tx_put_slot() field pend->idx is used after being
cleared. That means always idx 0 is cleared in the wr_tx_mask.
This results in a broken administration of available WR send
payload buffers.
Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b9a22dd9
...@@ -215,12 +215,14 @@ int smc_wr_tx_put_slot(struct smc_link *link, ...@@ -215,12 +215,14 @@ int smc_wr_tx_put_slot(struct smc_link *link,
pend = container_of(wr_pend_priv, struct smc_wr_tx_pend, priv); pend = container_of(wr_pend_priv, struct smc_wr_tx_pend, priv);
if (pend->idx < link->wr_tx_cnt) { if (pend->idx < link->wr_tx_cnt) {
u32 idx = pend->idx;
/* clear the full struct smc_wr_tx_pend including .priv */ /* clear the full struct smc_wr_tx_pend including .priv */
memset(&link->wr_tx_pends[pend->idx], 0, memset(&link->wr_tx_pends[pend->idx], 0,
sizeof(link->wr_tx_pends[pend->idx])); sizeof(link->wr_tx_pends[pend->idx]));
memset(&link->wr_tx_bufs[pend->idx], 0, memset(&link->wr_tx_bufs[pend->idx], 0,
sizeof(link->wr_tx_bufs[pend->idx])); sizeof(link->wr_tx_bufs[pend->idx]));
test_and_clear_bit(pend->idx, link->wr_tx_mask); test_and_clear_bit(idx, link->wr_tx_mask);
return 1; return 1;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment