aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/infiniband
diff options
context:
space:
mode:
authorRalph Campbell <ralph.campbell@qlogic.com>2009-02-27 13:34:30 -0500
committerRoland Dreier <rolandd@cisco.com>2009-02-27 13:34:30 -0500
commit1d9bc6d648ece77ffb41c5a577eab81fac5ad4de (patch)
treef4694fe940cfd4cef0c1a96fd436984c1b2c6ea5 /drivers/infiniband
parent7020cb0fe216fdcec246cdc2412614a3190fbb2f (diff)
IB/mad: Fix null pointer dereference in local_completions()
handle_outgoing_dr_smp() can queue a struct ib_mad_local_private *local on the mad_agent_priv->local_work work queue with local->mad_priv == NULL if device->process_mad() returns IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY and (!ib_response_mad(&mad_priv->mad.mad) || !mad_agent_priv->agent.recv_handler). In this case, local_completions() will be called with local->mad_priv == NULL. The code does check for this case and skips calling recv_mad_agent->agent.recv_handler() but recv == 0 so kmem_cache_free() is called with a NULL pointer. Also, since recv isn't reinitialized each time through the loop, it can cause a memory leak if recv should have been zero. Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Diffstat (limited to 'drivers/infiniband')
-rw-r--r--drivers/infiniband/core/mad.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 5c54fc2350b..735ad4ea10f 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -2356,7 +2356,7 @@ static void local_completions(struct work_struct *work)
2356 struct ib_mad_local_private *local; 2356 struct ib_mad_local_private *local;
2357 struct ib_mad_agent_private *recv_mad_agent; 2357 struct ib_mad_agent_private *recv_mad_agent;
2358 unsigned long flags; 2358 unsigned long flags;
2359 int recv = 0; 2359 int free_mad;
2360 struct ib_wc wc; 2360 struct ib_wc wc;
2361 struct ib_mad_send_wc mad_send_wc; 2361 struct ib_mad_send_wc mad_send_wc;
2362 2362
@@ -2370,14 +2370,15 @@ static void local_completions(struct work_struct *work)
2370 completion_list); 2370 completion_list);
2371 list_del(&local->completion_list); 2371 list_del(&local->completion_list);
2372 spin_unlock_irqrestore(&mad_agent_priv->lock, flags); 2372 spin_unlock_irqrestore(&mad_agent_priv->lock, flags);
2373 free_mad = 0;
2373 if (local->mad_priv) { 2374 if (local->mad_priv) {
2374 recv_mad_agent = local->recv_mad_agent; 2375 recv_mad_agent = local->recv_mad_agent;
2375 if (!recv_mad_agent) { 2376 if (!recv_mad_agent) {
2376 printk(KERN_ERR PFX "No receive MAD agent for local completion\n"); 2377 printk(KERN_ERR PFX "No receive MAD agent for local completion\n");
2378 free_mad = 1;
2377 goto local_send_completion; 2379 goto local_send_completion;
2378 } 2380 }
2379 2381
2380 recv = 1;
2381 /* 2382 /*
2382 * Defined behavior is to complete response 2383 * Defined behavior is to complete response
2383 * before request 2384 * before request
@@ -2422,7 +2423,7 @@ local_send_completion:
2422 2423
2423 spin_lock_irqsave(&mad_agent_priv->lock, flags); 2424 spin_lock_irqsave(&mad_agent_priv->lock, flags);
2424 atomic_dec(&mad_agent_priv->refcount); 2425 atomic_dec(&mad_agent_priv->refcount);
2425 if (!recv) 2426 if (free_mad)
2426 kmem_cache_free(ib_mad_cache, local->mad_priv); 2427 kmem_cache_free(ib_mad_cache, local->mad_priv);
2427 kfree(local); 2428 kfree(local);
2428 } 2429 }