projects / GitHub / exynos8895 / android_kernel_samsung_universal8895.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 836dc9e)
IB/mlx4: Fix bug unwinding on error in mlx4_ib_init_sriov()
authorDan Carpenter <dan.carpenter@oracle.com>
Mon, 4 Feb 2013 11:22:36 +0000 (11:22 +0000)
committerRoland Dreier <roland@purestorage.com>
Fri, 15 Feb 2013 23:22:26 +0000 (15:22 -0800)
We have to decrement "i" before calling mlx4_ib_free_demux_ctx() or we
free something that wasn't allocated.  That's fine for free_pv_object()
but it would lead to a NULL dereference calling mlx4_ib_free_demux_ctx().
The null dereference is because ->tun is NULL when we check:

if (!ctx->tun[i])

Also we didn't free ->sriov.demux[0] so it was a small leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
drivers/infiniband/hw/mlx4/mad.c patch | blob | blame | history

diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
index 0a903c129f0a19bfd0175de7aaea382dddec6d88..934792c477bccbf2b2583453b405067165a1ebf7 100644 (file)
--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1999,16 +1999,17 @@ int mlx4_ib_init_sriov(struct mlx4_ib_dev *dev)
                        goto demux_err;
                err = mlx4_ib_alloc_demux_ctx(dev, &dev->sriov.demux[i], i + 1);
                if (err)
-                       goto demux_err;
+                       goto free_pv;
        }
        mlx4_ib_master_tunnels(dev, 1);
        return 0;
 
+free_pv:
+       free_pv_object(dev, mlx4_master_func_num(dev->dev), i + 1);
 demux_err:
-       while (i > 0) {
+       while (--i >= 0) {
                free_pv_object(dev, mlx4_master_func_num(dev->dev), i + 1);
                mlx4_ib_free_demux_ctx(&dev->sriov.demux[i]);
-               --i;
        }
        mlx4_ib_device_unregister_sysfs(dev);