IB/mad: Fix kernel crash when .process_mad() returns SUCCESS|CONSUMED

If a low-level driver returns IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_CONSUMED, handle_outgoing_dr_smp() doesn't clean up properly. The fix is to kfree the local data and break, rather than falling through. This was observed with the ipath driver, but could happen with any driver. This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1027>. Signed-off-by: Dave Olson <dave.olson@qlogic.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
author: Dave Olson <dave.olson@qlogic.com> 2008-05-23 13:52:59 -0400
committer: Roland Dreier <rolandd@cisco.com> 2008-05-23 13:52:59 -0400
commit: 5a4f2b675210718aceb4abf41617a3af31bba718 (patch)
tree: e8753ab50b255d53839e7fce70695965406a83c0
parent: e1d50dce5af77cb6d33555af70e2b8748dd84009 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index fbe16d5250a4..1adf2efd3cb3 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -747,7 +747,9 @@ static int handle_outgoing_dr_smp(struct ib_mad_agent_private *mad_agent_priv,
                break;
        case IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_CONSUMED:
                kmem_cache_free(ib_mad_cache, mad_priv);
-                break;
+                kfree(local);
+                ret = 1;
+                goto out;
        case IB_MAD_RESULT_SUCCESS:
                /* Treat like an incoming receive MAD */
                port_priv = ib_get_mad_port(mad_agent_priv->agent.device,
author	Dave Olson <dave.olson@qlogic.com>	2008-05-23 13:52:59 -0400
committer	Roland Dreier <rolandd@cisco.com>	2008-05-23 13:52:59 -0400
commit	5a4f2b675210718aceb4abf41617a3af31bba718 (patch)
tree	e8753ab50b255d53839e7fce70695965406a83c0
parent	e1d50dce5af77cb6d33555af70e2b8748dd84009 (diff)