diff options
author | Yevgeny Petrilin <yevgenyp@mellanox.co.il> | 2011-03-30 23:28:52 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-03-31 02:52:17 -0700 |
commit | 53020092bd89b0d4ccc5368a3956f43cb43e5665 (patch) | |
tree | e77703aed0ac7d44fa82736c935039638ea6c280 | |
parent | 5e8996e72899847269ca36061ea33ea24bf6cb90 (diff) | |
download | kernel_samsung_aries-53020092bd89b0d4ccc5368a3956f43cb43e5665.zip kernel_samsung_aries-53020092bd89b0d4ccc5368a3956f43cb43e5665.tar.gz kernel_samsung_aries-53020092bd89b0d4ccc5368a3956f43cb43e5665.tar.bz2 |
mlx4: Fixing use after free
In case of allocation failure, tried to use the promiscuous QP
entry that was previously freed.
Now freeing this entry only in case we will not put it back to the list
of promiscuous entries.
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/mlx4/mcg.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/mlx4/mcg.c b/drivers/net/mlx4/mcg.c index e71372a..37150b2 100644 --- a/drivers/net/mlx4/mcg.c +++ b/drivers/net/mlx4/mcg.c @@ -469,7 +469,6 @@ static int remove_promisc_qp(struct mlx4_dev *dev, u8 vep_num, u8 port, /*remove from list of promisc qps */ list_del(&pqp->list); - kfree(pqp); /* set the default entry not to include the removed one */ mailbox = mlx4_alloc_cmd_mailbox(dev); @@ -528,6 +527,8 @@ out_mailbox: out_list: if (back_to_list) list_add_tail(&pqp->list, &s_steer->promisc_qps[steer]); + else + kfree(pqp); out_mutex: mutex_unlock(&priv->mcg_table.mutex); return err; |