summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYevgeny Petrilin <yevgenyp@mellanox.co.il>2011-03-30 23:28:52 +0000
committerDavid S. Miller <davem@davemloft.net>2011-03-31 02:52:17 -0700
commit53020092bd89b0d4ccc5368a3956f43cb43e5665 (patch)
treee77703aed0ac7d44fa82736c935039638ea6c280
parent5e8996e72899847269ca36061ea33ea24bf6cb90 (diff)
downloadlinux-3.10-53020092bd89b0d4ccc5368a3956f43cb43e5665.tar.gz
linux-3.10-53020092bd89b0d4ccc5368a3956f43cb43e5665.tar.bz2
linux-3.10-53020092bd89b0d4ccc5368a3956f43cb43e5665.zip
mlx4: Fixing use after free
In case of allocation failure, tried to use the promiscuous QP entry that was previously freed. Now freeing this entry only in case we will not put it back to the list of promiscuous entries. Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/mlx4/mcg.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/mlx4/mcg.c b/drivers/net/mlx4/mcg.c
index e71372aa9cc..37150b2f642 100644
--- a/drivers/net/mlx4/mcg.c
+++ b/drivers/net/mlx4/mcg.c
@@ -469,7 +469,6 @@ static int remove_promisc_qp(struct mlx4_dev *dev, u8 vep_num, u8 port,
/*remove from list of promisc qps */
list_del(&pqp->list);
- kfree(pqp);
/* set the default entry not to include the removed one */
mailbox = mlx4_alloc_cmd_mailbox(dev);
@@ -528,6 +527,8 @@ out_mailbox:
out_list:
if (back_to_list)
list_add_tail(&pqp->list, &s_steer->promisc_qps[steer]);
+ else
+ kfree(pqp);
out_mutex:
mutex_unlock(&priv->mcg_table.mutex);
return err;