mlx4: Fixing use after free
authorYevgeny Petrilin <yevgenyp@mellanox.co.il>
Wed, 30 Mar 2011 23:28:52 +0000 (23:28 +0000)
committerDavid S. Miller <davem@davemloft.net>
Thu, 31 Mar 2011 09:52:17 +0000 (02:52 -0700)
In case of allocation failure, tried to use the promiscuous QP
entry that was previously freed.
Now freeing this entry only in case we will not put it back to the list
of promiscuous entries.

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/mlx4/mcg.c

index e71372aa9cc477727b13c6ee5b9bae8756d7f6b8..37150b2f6425566b015d4dfd6d38ee207b14e232 100644 (file)
@@ -469,7 +469,6 @@ static int remove_promisc_qp(struct mlx4_dev *dev, u8 vep_num, u8 port,
 
        /*remove from list of promisc qps */
        list_del(&pqp->list);
-       kfree(pqp);
 
        /* set the default entry not to include the removed one */
        mailbox = mlx4_alloc_cmd_mailbox(dev);
@@ -528,6 +527,8 @@ out_mailbox:
 out_list:
        if (back_to_list)
                list_add_tail(&pqp->list, &s_steer->promisc_qps[steer]);
+       else
+               kfree(pqp);
 out_mutex:
        mutex_unlock(&priv->mcg_table.mutex);
        return err;