aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Sesterhenn <snakebyte@gmx.de>2006-09-28 13:38:32 -0400
committerRoland Dreier <rolandd@cisco.com>2006-09-28 13:38:32 -0400
commit44334bd97e76662c5f40c629357e6acc4dee3e8a (patch)
treea64a99877e65dcc86b28a45a28c2ca9cb2111126
parent6edf602341cd8f6e79479ff7f5bca72562c1f608 (diff)
RDMA/amso1100: Fix error path in c2_llp_accept()
Another NULL dereference spotted by the Coverity checker (cid #1395): In case we can't alloc the vq_req, we goto bail1, where we call vq_req_free(c2dev, vq_req); which then dereferences vq_req. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Acked-by: Tom Tucker <tom@opengridcomputing.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r--drivers/infiniband/hw/amso1100/c2_cm.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/drivers/infiniband/hw/amso1100/c2_cm.c b/drivers/infiniband/hw/amso1100/c2_cm.c
index 485254efdd1e..75b93e9b8810 100644
--- a/drivers/infiniband/hw/amso1100/c2_cm.c
+++ b/drivers/infiniband/hw/amso1100/c2_cm.c
@@ -302,7 +302,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
302 vq_req = vq_req_alloc(c2dev); 302 vq_req = vq_req_alloc(c2dev);
303 if (!vq_req) { 303 if (!vq_req) {
304 err = -ENOMEM; 304 err = -ENOMEM;
305 goto bail1; 305 goto bail0;
306 } 306 }
307 vq_req->qp = qp; 307 vq_req->qp = qp;
308 vq_req->cm_id = cm_id; 308 vq_req->cm_id = cm_id;
@@ -311,7 +311,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
311 wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL); 311 wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL);
312 if (!wr) { 312 if (!wr) {
313 err = -ENOMEM; 313 err = -ENOMEM;
314 goto bail2; 314 goto bail1;
315 } 315 }
316 316
317 /* Build the WR */ 317 /* Build the WR */
@@ -331,7 +331,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
331 /* Validate private_data length */ 331 /* Validate private_data length */
332 if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) { 332 if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) {
333 err = -EINVAL; 333 err = -EINVAL;
334 goto bail2; 334 goto bail1;
335 } 335 }
336 336
337 if (iw_param->private_data) { 337 if (iw_param->private_data) {
@@ -348,19 +348,19 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
348 err = vq_send_wr(c2dev, (union c2wr *) wr); 348 err = vq_send_wr(c2dev, (union c2wr *) wr);
349 if (err) { 349 if (err) {
350 vq_req_put(c2dev, vq_req); 350 vq_req_put(c2dev, vq_req);
351 goto bail2; 351 goto bail1;
352 } 352 }
353 353
354 /* Wait for reply from adapter */ 354 /* Wait for reply from adapter */
355 err = vq_wait_for_reply(c2dev, vq_req); 355 err = vq_wait_for_reply(c2dev, vq_req);
356 if (err) 356 if (err)
357 goto bail2; 357 goto bail1;
358 358
359 /* Check that reply is present */ 359 /* Check that reply is present */
360 reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg; 360 reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg;
361 if (!reply) { 361 if (!reply) {
362 err = -ENOMEM; 362 err = -ENOMEM;
363 goto bail2; 363 goto bail1;
364 } 364 }
365 365
366 err = c2_errno(reply); 366 err = c2_errno(reply);
@@ -368,9 +368,8 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
368 368
369 if (!err) 369 if (!err)
370 c2_set_qp_state(qp, C2_QP_STATE_RTS); 370 c2_set_qp_state(qp, C2_QP_STATE_RTS);
371 bail2:
372 kfree(wr);
373 bail1: 371 bail1:
372 kfree(wr);
374 vq_req_free(c2dev, vq_req); 373 vq_req_free(c2dev, vq_req);
375 bail0: 374 bail0:
376 if (err) { 375 if (err) {