kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   82fdaabdb20ae6bf14e7ba999bd9a87ebdf626c3
  2.   patches.suse
  3.   rds-rds_rm_zerocopy_callback-correct-order-for-list_add_tail.patch
Blob History Raw
Miroslav Franc 590eda 
From: Pietro Borrello <borrello@diag.uniroma1.it>
Miroslav Franc 590eda 
Date: Thu, 9 Feb 2023 12:26:23 +0000
Miroslav Franc 590eda 
Subject: rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
Miroslav Franc 590eda 
Git-commit: 68762148d1b011d47bc2ceed7321739b5aea1e63
Miroslav Franc 590eda 
Patch-mainline: v6.3-rc1
Miroslav Franc 590eda 
References: CVE-2023-1078 bsc#1208601
Miroslav Franc 590eda
Miroslav Franc 590eda 
rds_rm_zerocopy_callback() uses list_add_tail() with swapped
Miroslav Franc 590eda 
arguments. This links the list head with the new entry, losing
Miroslav Franc 590eda 
the references to the remaining part of the list.
Miroslav Franc 590eda
Miroslav Franc 590eda 
Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification")
Miroslav Franc 590eda 
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Miroslav Franc 590eda 
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Miroslav Franc 590eda 
Signed-off-by: David S. Miller <davem@davemloft.net>
Miroslav Franc 590eda 
Acked-by: Miroslav Franc <mfranc@suse.cz>
Miroslav Franc 590eda 
---
Miroslav Franc 590eda 
 net/rds/message.c | 2 +-
Miroslav Franc 590eda 
 1 file changed, 1 insertion(+), 1 deletion(-)
Miroslav Franc 590eda
Miroslav Franc 590eda 
diff --git a/net/rds/message.c b/net/rds/message.c
Miroslav Franc 590eda 
index c19c93561227..7af59d2443e5 100644
Miroslav Franc 590eda 
--- a/net/rds/message.c
Miroslav Franc 590eda 
+++ b/net/rds/message.c
Miroslav Franc 590eda 
@@ -118,7 +118,7 @@ static void rds_rm_zerocopy_callback(struct rds_sock *rs,
Miroslav Franc 590eda 
 	ck = &info->zcookies;
Miroslav Franc 590eda 
 	memset(ck, 0, sizeof(*ck));
Miroslav Franc 590eda 
 	WARN_ON(!rds_zcookie_add(info, cookie));
Miroslav Franc 590eda 
-	list_add_tail(&q->zcookie_head, &info->rs_zcookie_next);
Miroslav Franc 590eda 
+	list_add_tail(&info->rs_zcookie_next, &q->zcookie_head);
Miroslav Franc 590eda
Miroslav Franc 590eda 
 	spin_unlock_irqrestore(&q->lock, flags);
Miroslav Franc 590eda 
 	/* caller invokes rds_wake_sk_sleep() */
Miroslav Franc 590eda
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.