[14/37] RDMA/nes: Free IRQ before killing tasklet

From: Greg KH
Date: Tue Apr 29 2008 - 13:25:59 EST


2.6.25-stable review patch. If anyone has any objections, please let us
know.

------------------
From: Roland Dreier <rolandd@xxxxxxxxx>

commit: 4cd1e5eb3cbe6e0cc934959770b4c60eac6ecf66

Move the free_irq() call in nes_remove() to before the tasklet_kill();
otherwise there is a window after tasklet_kill() where a new interrupt
can be handled and reschedule the tasklet, leading to a use-after-free
crash.

Signed-off-by: Roland Dreier <rolandd@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
drivers/infiniband/hw/nes/nes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/hw/nes/nes.c
+++ b/drivers/infiniband/hw/nes/nes.c
@@ -751,13 +751,13 @@ static void __devexit nes_remove(struct

list_del(&nesdev->list);
nes_destroy_cqp(nesdev);
+
+ free_irq(pcidev->irq, nesdev);
tasklet_kill(&nesdev->dpc_tasklet);

/* Deallocate the Adapter Structure */
nes_destroy_adapter(nesdev->nesadapter);

- free_irq(pcidev->irq, nesdev);
-
if (nesdev->msi_enabled) {
pci_disable_msi(pcidev);
}

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/