RDMA/iwcm: Fix memory leak
If we get IW_CM_EVENT_CONNECT_REQUEST message and encounter an error (not in the LISTEN state, cannot create an id, cannot alloc work_entry, etc), then the memory allocated by cm_event_handler() in the event->private_data gets leaked. Since cm_work_handler has already put the event on the work_free_list, this allocated memory is leaked. High backlog value can allow DoS attacks. Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com> Acked-by: Steve Wise <swise@opengridcomputing.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
parent
33ba0fa9f3
commit
83b9658623
1 changed files with 4 additions and 3 deletions
|
@ -619,7 +619,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
|
||||||
spin_lock_irqsave(&listen_id_priv->lock, flags);
|
spin_lock_irqsave(&listen_id_priv->lock, flags);
|
||||||
if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
|
if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
|
||||||
spin_unlock_irqrestore(&listen_id_priv->lock, flags);
|
spin_unlock_irqrestore(&listen_id_priv->lock, flags);
|
||||||
return;
|
goto out;
|
||||||
}
|
}
|
||||||
spin_unlock_irqrestore(&listen_id_priv->lock, flags);
|
spin_unlock_irqrestore(&listen_id_priv->lock, flags);
|
||||||
|
|
||||||
|
@ -628,7 +628,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
|
||||||
listen_id_priv->id.context);
|
listen_id_priv->id.context);
|
||||||
/* If the cm_id could not be created, ignore the request */
|
/* If the cm_id could not be created, ignore the request */
|
||||||
if (IS_ERR(cm_id))
|
if (IS_ERR(cm_id))
|
||||||
return;
|
goto out;
|
||||||
|
|
||||||
cm_id->provider_data = iw_event->provider_data;
|
cm_id->provider_data = iw_event->provider_data;
|
||||||
cm_id->local_addr = iw_event->local_addr;
|
cm_id->local_addr = iw_event->local_addr;
|
||||||
|
@ -641,7 +641,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
|
||||||
if (ret) {
|
if (ret) {
|
||||||
iw_cm_reject(cm_id, NULL, 0);
|
iw_cm_reject(cm_id, NULL, 0);
|
||||||
iw_destroy_cm_id(cm_id);
|
iw_destroy_cm_id(cm_id);
|
||||||
return;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Call the client CM handler */
|
/* Call the client CM handler */
|
||||||
|
@ -653,6 +653,7 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
|
||||||
kfree(cm_id);
|
kfree(cm_id);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
if (iw_event->private_data_len)
|
if (iw_event->private_data_len)
|
||||||
kfree(iw_event->private_data);
|
kfree(iw_event->private_data);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue