Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755769AbcJFIhD (ORCPT ); Thu, 6 Oct 2016 04:37:03 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:47132 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755058AbcJFIg7 (ORCPT ); Thu, 6 Oct 2016 04:36:59 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stefan Assmann , Mustafa Ismail , Shiraz Saleem , Doug Ledford Subject: [PATCH 4.7 043/141] i40iw: Avoid writing to freed memory Date: Thu, 6 Oct 2016 10:27:59 +0200 Message-Id: <20161006074450.557915916@linuxfoundation.org> X-Mailer: git-send-email 2.10.0 In-Reply-To: <20161006074448.608056610@linuxfoundation.org> References: <20161006074448.608056610@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1138 Lines: 37 4.7-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mustafa Ismail commit 433c58139f6a7d59824aadd23d6c9cac1d4e6100 upstream. iwpbl->iwmr points to the structure that contains iwpbl, which is iwmr. Setting this to NULL would result in writing to freed memory. So just free iwmr, and return. Fixes: d37498417947 ("i40iw: add files for iwarp interface") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/i40iw/i40iw_verbs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c +++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c @@ -1924,8 +1924,7 @@ static int i40iw_dereg_mr(struct ib_mr * } if (iwpbl->pbl_allocated) i40iw_free_pble(iwdev->pble_rsrc, palloc); - kfree(iwpbl->iwmr); - iwpbl->iwmr = NULL; + kfree(iwmr); return 0; }