diff options
| author | Eric Sesterhenn <snakebyte@gmx.de> | 2006-09-28 10:38:32 -0700 |
|---|---|---|
| committer | Roland Dreier <rolandd@cisco.com> | 2006-09-28 10:38:32 -0700 |
| commit | 44334bd97e76662c5f40c629357e6acc4dee3e8a (patch) | |
| tree | a64a99877e65dcc86b28a45a28c2ca9cb2111126 /drivers/infiniband/hw/amso1100/c2_cm.c | |
| parent | 6edf602341cd8f6e79479ff7f5bca72562c1f608 (diff) | |
RDMA/amso1100: Fix error path in c2_llp_accept()
Another NULL dereference spotted by the Coverity checker (cid #1395):
In case we can't alloc the vq_req, we goto bail1, where we call
vq_req_free(c2dev, vq_req); which then dereferences vq_req.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Acked-by: Tom Tucker <tom@opengridcomputing.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/hw/amso1100/c2_cm.c')
| -rw-r--r-- | drivers/infiniband/hw/amso1100/c2_cm.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/drivers/infiniband/hw/amso1100/c2_cm.c b/drivers/infiniband/hw/amso1100/c2_cm.c index 485254efdd1..75b93e9b881 100644 --- a/drivers/infiniband/hw/amso1100/c2_cm.c +++ b/drivers/infiniband/hw/amso1100/c2_cm.c @@ -302,7 +302,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) vq_req = vq_req_alloc(c2dev); if (!vq_req) { err = -ENOMEM; - goto bail1; + goto bail0; } vq_req->qp = qp; vq_req->cm_id = cm_id; @@ -311,7 +311,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL); if (!wr) { err = -ENOMEM; - goto bail2; + goto bail1; } /* Build the WR */ @@ -331,7 +331,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) /* Validate private_data length */ if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) { err = -EINVAL; - goto bail2; + goto bail1; } if (iw_param->private_data) { @@ -348,19 +348,19 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) err = vq_send_wr(c2dev, (union c2wr *) wr); if (err) { vq_req_put(c2dev, vq_req); - goto bail2; + goto bail1; } /* Wait for reply from adapter */ err = vq_wait_for_reply(c2dev, vq_req); if (err) - goto bail2; + goto bail1; /* Check that reply is present */ reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg; if (!reply) { err = -ENOMEM; - goto bail2; + goto bail1; } err = c2_errno(reply); @@ -368,9 +368,8 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param) if (!err) c2_set_qp_state(qp, C2_QP_STATE_RTS); - bail2: - kfree(wr); bail1: + kfree(wr); vq_req_free(c2dev, vq_req); bail0: if (err) { |