Gitweb: http://git.kernel.org/linus/1d9bc6d648ece77ffb41c5a577eab81fac5ad4de
Commit: 1d9bc6d648ece77ffb41c5a577eab81fac5ad4de
Parent: 7020cb0fe216fdcec246cdc2412614a3190fbb2f
Author: Ralph Campbell <ralph.campbell@qlogic.com>
AuthorDate: Fri Feb 27 10:34:30 2009 -0800
Committer: Roland Dreier <rolandd@cisco.com>
CommitDate: Fri Feb 27 10:34:30 2009 -0800
IB/mad: Fix null pointer dereference in local_completions()
handle_outgoing_dr_smp() can queue a struct ib_mad_local_private
*local on the mad_agent_priv->local_work work queue with
local->mad_priv == NULL if device->process_mad() returns
IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY and
(!ib_response_mad(&mad_priv->mad.mad) ||
!mad_agent_priv->agent.recv_handler).
In this case, local_completions() will be called with local->mad_priv
== NULL. The code does check for this case and skips calling
recv_mad_agent->agent.recv_handler() but recv == 0 so
kmem_cache_free() is called with a NULL pointer.
Also, since recv isn't reinitialized each time through the loop, it
can cause a memory leak if recv should have been zero.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
---
drivers/infiniband/core/mad.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 5c54fc2..735ad4e 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -2356,7 +2356,7 @@ static void local_completions(struct work_struct *work)
struct ib_mad_local_private *local;
struct ib_mad_agent_private *recv_mad_agent;
unsigned long flags;
- int recv = 0;
+ int free_mad;
struct ib_wc wc;
struct ib_mad_send_wc mad_send_wc;
@@ -2370,14 +2370,15 @@ static void local_completions(struct work_struct *work)
completion_list);
list_del(&local->completion_list);
spin_unlock_irqrestore(&mad_agent_priv->lock, ...
