diff options
author | Eric Sesterhenn <snakebyte@gmx.de> | 2006-09-28 13:38:32 -0400 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2006-09-28 13:38:32 -0400 |
commit | 44334bd97e76662c5f40c629357e6acc4dee3e8a (patch) | |
tree | a64a99877e65dcc86b28a45a28c2ca9cb2111126 | |
parent | 6edf602341cd8f6e79479ff7f5bca72562c1f608 (diff) |
RDMA/amso1100: Fix error path in c2_llp_accept()
Another NULL dereference spotted by the Coverity checker (cid #1395):
In case we can't alloc the vq_req, we goto bail1, where we call
vq_req_free(c2dev, vq_req); which then dereferences vq_req.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Acked-by: Tom Tucker <tom@opengridcomputing.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r-- | drivers/infiniband/hw/amso1100/c2_cm.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/drivers/infiniband/hw/amso1100/c2_cm.c b/drivers/infiniband/hw/amso1100/c2_cm.c index 485254efdd1e..75b93e9b8810 100644 --- a/drivers/infiniband/hw/amso1100/c2_cm.c +++ b/drivers/infiniband/hw/amso1100/c2_cm.c | |||
@@ -302,7 +302,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) | |||
302 | vq_req = vq_req_alloc(c2dev); | 302 | vq_req = vq_req_alloc(c2dev); |
303 | if (!vq_req) { | 303 | if (!vq_req) { |
304 | err = -ENOMEM; | 304 | err = -ENOMEM; |
305 | goto bail1; | 305 | goto bail0; |
306 | } | 306 | } |
307 | vq_req->qp = qp; | 307 | vq_req->qp = qp; |
308 | vq_req->cm_id = cm_id; | 308 | vq_req->cm_id = cm_id; |
@@ -311,7 +311,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) | |||
311 | wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL); | 311 | wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL); |
312 | if (!wr) { | 312 | if (!wr) { |
313 | err = -ENOMEM; | 313 | err = -ENOMEM; |
314 | goto bail2; | 314 | goto bail1; |
315 | } | 315 | } |
316 | 316 | ||
317 | /* Build the WR */ | 317 | /* Build the WR */ |
@@ -331,7 +331,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) | |||
331 | /* Validate private_data length */ | 331 | /* Validate private_data length */ |
332 | if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) { | 332 | if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) { |
333 | err = -EINVAL; | 333 | err = -EINVAL; |
334 | goto bail2; | 334 | goto bail1; |
335 | } | 335 | } |
336 | 336 | ||
337 | if (iw_param->private_data) { | 337 | if (iw_param->private_data) { |
@@ -348,19 +348,19 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) | |||
348 | err = vq_send_wr(c2dev, (union c2wr *) wr); | 348 | err = vq_send_wr(c2dev, (union c2wr *) wr); |
349 | if (err) { | 349 | if (err) { |
350 | vq_req_put(c2dev, vq_req); | 350 | vq_req_put(c2dev, vq_req); |
351 | goto bail2; | 351 | goto bail1; |
352 | } | 352 | } |
353 | 353 | ||
354 | /* Wait for reply from adapter */ | 354 | /* Wait for reply from adapter */ |
355 | err = vq_wait_for_reply(c2dev, vq_req); | 355 | err = vq_wait_for_reply(c2dev, vq_req); |
356 | if (err) | 356 | if (err) |
357 | goto bail2; | 357 | goto bail1; |
358 | 358 | ||
359 | /* Check that reply is present */ | 359 | /* Check that reply is present */ |
360 | reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg; | 360 | reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg; |
361 | if (!reply) { | 361 | if (!reply) { |
362 | err = -ENOMEM; | 362 | err = -ENOMEM; |
363 | goto bail2; | 363 | goto bail1; |
364 | } | 364 | } |
365 | 365 | ||
366 | err = c2_errno(reply); | 366 | err = c2_errno(reply); |
@@ -368,9 +368,8 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) | |||
368 | 368 | ||
369 | if (!err) | 369 | if (!err) |
370 | c2_set_qp_state(qp, C2_QP_STATE_RTS); | 370 | c2_set_qp_state(qp, C2_QP_STATE_RTS); |
371 | bail2: | ||
372 | kfree(wr); | ||
373 | bail1: | 371 | bail1: |
372 | kfree(wr); | ||
374 | vq_req_free(c2dev, vq_req); | 373 | vq_req_free(c2dev, vq_req); |
375 | bail0: | 374 | bail0: |
376 | if (err) { | 375 | if (err) { |