infiniband/hw/nes/nes_cm.c: use-after-free

From: Adrian Bunk
Date: Tue Feb 19 2008 - 19:59:49 EST

Next message: Jesse Barnes: "Re: 2.6.25-rc2 System no longer powers off after suspend-to-disk. Screen becomes green."
Previous message: Dave Airlie: "[git pull] agp patches for 2.6.25-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Spotted by the Coverity checker.

<-- snip -->

...
static int mini_cm_dec_refcnt_listen(struct nes_cm_core *cm_core,
struct nes_cm_listener *listener, int free_hanging_nodes)
{
int ret = 1;
unsigned long flags;
spin_lock_irqsave(&cm_core->listen_list_lock, flags);
if (!atomic_dec_return(&listener->ref_count)) {
list_del(&listener->list);

/* decrement our listen node count */
atomic_dec(&cm_core->listen_node_cnt);

spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);

if (listener->nesvnic) {
nes_manage_apbvt(listener->nesvnic, listener->loc_port,
PCI_FUNC(listener->nesvnic->nesdev->pcidev->devfn), NES_MANAGE_APBVT_DEL);
}

nes_debug(NES_DBG_CM, "destroying listener (%p)\n", listener);

kfree(listener); <----------------------------------
ret = 0;
cm_listens_destroyed++;
} else {
spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
}
if (listener) {
if (atomic_read(&listener->pend_accepts_cnt) > 0)
... ^^^^^^^^^^^^^^^^^^^^^^^^^^

<-- snip -->

cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jesse Barnes: "Re: 2.6.25-rc2 System no longer powers off after suspend-to-disk. Screen becomes green."
Previous message: Dave Airlie: "[git pull] agp patches for 2.6.25-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]