In cm_work_handler, it calls destory_cm_id() to release
the initial reference of cm_id_priv taken by iw_create_cm_id()
and free the cm_id_priv. After destory_cm_id(), iwcm_deref_id
(cm_id_priv) will be called and cause a use after free.
Fixes: 59c68ac31e15a ("iw_cm: free cm_id resources on the last deref")
Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
---
drivers/infiniband/core/iwcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
index da8adadf4755..cb6b4ac45e21 100644
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -1035,8 +1035,10 @@ static void cm_work_handler(struct work_struct *_work)
if (!test_bit(IWCM_F_DROP_EVENTS, &cm_id_priv->flags)) {
ret = process_event(cm_id_priv, &levent);
- if (ret)
+ if (ret) {
destroy_cm_id(&cm_id_priv->id);
+ return;
+ }
} else
pr_debug("dropping event %d\n", levent.event);
if (iwcm_deref_id(cm_id_priv))
--
2.25.1
