Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4cd1e5eb authored by Roland Dreier's avatar Roland Dreier
Browse files

RDMA/nes: Free IRQ before killing tasklet 



Move the free_irq() call in nes_remove() to before the tasklet_kill();
otherwise there is a window after tasklet_kill() where a new interrupt
can be handled and reschedule the tasklet, leading to a use-after-free
crash.

Cc: <stable@kernel.org>
Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent 940801b2

drivers/infiniband/hw/nes/nes.c

+2 −2
Original line number Diff line number Diff line
@@ -744,13 +744,13 @@ static void __devexit nes_remove(struct pci_dev *pcidev) 


	list_del(&nesdev->list);

	nes_destroy_cqp(nesdev);



	free_irq(pcidev->irq, nesdev);

	tasklet_kill(&nesdev->dpc_tasklet);



	/* Deallocate the Adapter Structure */

	nes_destroy_adapter(nesdev->nesadapter);



	free_irq(pcidev->irq, nesdev);



	if (nesdev->msi_enabled) {

		pci_disable_msi(pcidev);

	}