This is a note to let you know that I've just added the patch titled iw_cxgb4: remove the stid on listen create failure to the 4.13-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: iw_cxgb4-remove-the-stid-on-listen-create-failure.patch and it can be found in the queue-4.13 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 8b1bbf36b7452c4acb20e91948eaa5e225ea6978 Mon Sep 17 00:00:00 2001 From: Steve Wise <swise@xxxxxxxxxxxxxxxxxxxxx> Date: Tue, 5 Sep 2017 11:52:34 -0700 Subject: iw_cxgb4: remove the stid on listen create failure From: Steve Wise <swise@xxxxxxxxxxxxxxxxxxxxx> commit 8b1bbf36b7452c4acb20e91948eaa5e225ea6978 upstream. If a listen create fails, then the server tid (stid) is incorrectly left in the stid idr table, which can cause a touch-after-free if the stid is looked up and the already freed endpoint is touched. So make sure and remove it in the error path. Signed-off-by: Steve Wise <swise@xxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/infiniband/hw/cxgb4/cm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/infiniband/hw/cxgb4/cm.c +++ b/drivers/infiniband/hw/cxgb4/cm.c @@ -3463,7 +3463,7 @@ int c4iw_create_listen(struct iw_cm_id * cm_id->provider_data = ep; goto out; } - + remove_handle(ep->com.dev, &ep->com.dev->stid_idr, ep->stid); cxgb4_free_stid(ep->com.dev->rdev.lldi.tids, ep->stid, ep->com.local_addr.ss_family); fail2: Patches currently in stable-queue which might be from swise@xxxxxxxxxxxxxxxxxxxxx are queue-4.13/iw_cxgb4-drop-listen-destroy-replies-if-no-ep-found.patch queue-4.13/iw_cxgb4-put-ep-reference-in-pass_accept_req.patch queue-4.13/iw_cxgb4-remove-the-stid-on-listen-create-failure.patch