In the case of I40IW_CM_EVENT_ABORTED, i40iw_event_connect_error()
could be called to free the event->cm_node. However, event->cm_node
will be used after and cause use after free. It needs to add flags
to inform that event->cm_node has been freed.
Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
---
drivers/infiniband/hw/i40iw/i40iw_cm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index ac65c8237b2e..447b43c2d21f 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -4175,6 +4175,7 @@ static void i40iw_cm_event_handler(struct work_struct *work)
struct i40iw_cm_event,
event_work);
struct i40iw_cm_node *cm_node;
+ int flags = 0;
if (!event || !event->cm_node || !event->cm_node->cm_core)
return;
@@ -4211,6 +4212,7 @@ static void i40iw_cm_event_handler(struct work_struct *work)
(event->cm_node->state == I40IW_CM_STATE_OFFLOADED))
break;
i40iw_event_connect_error(event);
+ flags = 1;
break;
default:
i40iw_pr_err("event type = %d\n", event->type);
@@ -4218,7 +4220,8 @@ static void i40iw_cm_event_handler(struct work_struct *work)
}
event->cm_info.cm_id->rem_ref(event->cm_info.cm_id);
- i40iw_rem_ref_cm_node(event->cm_node);
+ if (!flags)
+ i40iw_rem_ref_cm_node(event->cm_node);
kfree(event);
}
--
2.25.1
