diff mbox

i40iw: Avoid writing to freed memory

Message ID 1471991096-85476-1-git-send-email-shiraz.saleem@intel.com (mailing list archive)
State Accepted
Headers show

Commit Message

Saleem, Shiraz Aug. 23, 2016, 10:24 p.m. UTC 
From: Mustafa Ismail <mustafa.ismail@intel.com>

iwpbl->iwmr points to the structure that contains iwpbl, 
which is iwmr. Setting this to NULL would result in 
writing to freed memory. So just free iwmr, and return. 

Fixes: d37498417947 ("i40iw: add files for iwarp interface")

Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
---
 drivers/infiniband/hw/i40iw/i40iw_verbs.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Doug Ledford Aug. 24, 2016, 3:34 p.m. UTC | #1 
On 8/23/2016 6:24 PM, Shiraz Saleem wrote:
> From: Mustafa Ismail <mustafa.ismail@intel.com>
> 
> iwpbl->iwmr points to the structure that contains iwpbl, 
> which is iwmr. Setting this to NULL would result in 
> writing to freed memory. So just free iwmr, and return. 
> 
> Fixes: d37498417947 ("i40iw: add files for iwarp interface")
> 
> Reported-by: Stefan Assmann <sassmann@redhat.com>
> Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
> Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>

Thanks, applied.
diff mbox

Patch

diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
index e8a6e91..567cb48 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
@@ -1926,8 +1926,7 @@  static int i40iw_dereg_mr(struct ib_mr *ib_mr)
 		}
 		if (iwpbl->pbl_allocated)
 			i40iw_free_pble(iwdev->pble_rsrc, palloc);
-		kfree(iwpbl->iwmr);
-		iwpbl->iwmr = NULL;
+		kfree(iwmr);
 		return 0;
 	}