[PATCH 4.7 043/141] i40iw: Avoid writing to freed memory

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mustafa Ismail <mustafa.ismail@xxxxxxxxx>

commit 433c58139f6a7d59824aadd23d6c9cac1d4e6100 upstream.

iwpbl->iwmr points to the structure that contains iwpbl,
which is iwmr. Setting this to NULL would result in
writing to freed memory. So just free iwmr, and return.

Fixes: d37498417947 ("i40iw: add files for iwarp interface")

Reported-by: Stefan Assmann <sassmann@xxxxxxxxxx>
Signed-off-by: Mustafa Ismail <mustafa.ismail@xxxxxxxxx>
Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx>
Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/infiniband/hw/i40iw/i40iw_verbs.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
@@ -1924,8 +1924,7 @@ static int i40iw_dereg_mr(struct ib_mr *
 		}
 		if (iwpbl->pbl_allocated)
 			i40iw_free_pble(iwdev->pble_rsrc, palloc);
-		kfree(iwpbl->iwmr);
-		iwpbl->iwmr = NULL;
+		kfree(iwmr);
 		return 0;
 	}