2008-02-20 01:09:04

by Adrian Bunk

[permalink] [raw]
Subject: [2.6 patch] infiniband/hw/nes/nes_verbs.c: fix use-after-free

This patch fixes a use-after-free spotted by the Coverity checker.

Signed-off-by: Adrian Bunk <[email protected]>

---

drivers/infiniband/hw/nes/nes_verbs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6/drivers/infiniband/hw/nes/nes_verbs.c.old 2008-02-20 03:02:13.000000000 +0200
+++ linux-2.6/drivers/infiniband/hw/nes/nes_verbs.c 2008-02-20 03:03:20.000000000 +0200
@@ -1820,22 +1820,22 @@ static struct ib_cq *nes_create_cq(struc
ret = wait_event_timeout(cqp_request->waitq, (0 != cqp_request->request_done),
NES_EVENT_TIMEOUT * 2);
nes_debug(NES_DBG_CQ, "Create iWARP CQ%u completed, wait_event_timeout ret = %d.\n",
nescq->hw_cq.cq_number, ret);
if ((!ret) || (cqp_request->major_code)) {
+ nes_debug(NES_DBG_CQ, "iWARP CQ%u create timeout expired, major code = 0x%04X,"
+ " minor code = 0x%04X\n",
+ nescq->hw_cq.cq_number, cqp_request->major_code, cqp_request->minor_code);
if (atomic_dec_and_test(&cqp_request->refcount)) {
if (cqp_request->dynamic) {
kfree(cqp_request);
} else {
spin_lock_irqsave(&nesdev->cqp.lock, flags);
list_add_tail(&cqp_request->list, &nesdev->cqp_avail_reqs);
spin_unlock_irqrestore(&nesdev->cqp.lock, flags);
}
}
- nes_debug(NES_DBG_CQ, "iWARP CQ%u create timeout expired, major code = 0x%04X,"
- " minor code = 0x%04X\n",
- nescq->hw_cq.cq_number, cqp_request->major_code, cqp_request->minor_code);
if (!context)
pci_free_consistent(nesdev->pcidev, nescq->cq_mem_size, mem,
nescq->hw_cq.cq_pbase);
nes_free_resource(nesadapter, nesadapter->allocated_cqs, cq_num);
kfree(nescq);