linux_dsm_epyc7002/net/rds
Lv Yunlong 4cfae7b238 net/rds: Fix a use after free in rds_message_map_pages
[ Upstream commit bdc2ab5c61a5c07388f4820ff21e787b4dfd1ced ]

In rds_message_map_pages, the rm is freed by rds_message_put(rm).
But rm is still used by rm->data.op_sg in return value.

My patch assigns ERR_CAST(rm->data.op_sg) to err before the rm is
freed to avoid the uaf.

Fixes: 7dba92037b ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-04-14 08:42:09 +02:00
..
af_rds.c
bind.c
cong.c
connection.c
ib_cm.c
ib_frmr.c
ib_mr.h
ib_rdma.c
ib_recv.c
ib_ring.c
ib_send.c
ib_stats.c
ib_sysctl.c
ib.c
ib.h RDMA: Lift ibdev_to_node from rds to common code 2021-02-26 10:12:59 +01:00
info.c
info.h
Kconfig
loop.c
loop.h
Makefile
message.c net/rds: Fix a use after free in rds_message_map_pages 2021-04-14 08:42:09 +02:00
page.c
rdma_transport.c
rdma_transport.h
rdma.c
rds_single_path.h
rds.h
recv.c
send.c
stats.c
sysctl.c
tcp_connect.c
tcp_listen.c
tcp_recv.c
tcp_send.c
tcp_stats.c
tcp.c
tcp.h
threads.c
transport.c