diff options
author | Ralph Campbell <ralph.campbell@qlogic.com> | 2008-07-22 17:18:33 -0400 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2008-07-22 17:18:33 -0400 |
commit | 64b784b583061ebfe1d484dd1fdc5a26c6d4293f (patch) | |
tree | 2eef2e4af37b00a6ab9c4bf2d2d60dffce980204 | |
parent | d35cb360c29956510b2fe1a953bd4968536f7216 (diff) |
IB/sa_query: Check if sm_ah is NULL in ib_sa_remove_one()
If update_sm_ah() fails, it leaves the port's sm_ah as NULL. Then if
the device or module is removed, ib_sa_remove_one() will dereference a
NULL pointer when it calls kref_put(). Fix this by testing if sm_ah
is NULL before dropping the reference.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r-- | drivers/infiniband/core/sa_query.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c index 1341de793e51..7863a50d56f2 100644 --- a/drivers/infiniband/core/sa_query.c +++ b/drivers/infiniband/core/sa_query.c | |||
@@ -1064,7 +1064,8 @@ static void ib_sa_remove_one(struct ib_device *device) | |||
1064 | 1064 | ||
1065 | for (i = 0; i <= sa_dev->end_port - sa_dev->start_port; ++i) { | 1065 | for (i = 0; i <= sa_dev->end_port - sa_dev->start_port; ++i) { |
1066 | ib_unregister_mad_agent(sa_dev->port[i].agent); | 1066 | ib_unregister_mad_agent(sa_dev->port[i].agent); |
1067 | kref_put(&sa_dev->port[i].sm_ah->ref, free_sm_ah); | 1067 | if (sa_dev->port[i].sm_ah) |
1068 | kref_put(&sa_dev->port[i].sm_ah->ref, free_sm_ah); | ||
1068 | } | 1069 | } |
1069 | 1070 | ||
1070 | kfree(sa_dev); | 1071 | kfree(sa_dev); |