IB/core: Fix use after free in send_leave function (68c6bcdd) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/infiniband/core/multicast.c

+2 −11

Original line number	Diff line number	Diff line
		@@ -106,7 +106,6 @@ struct mcast_group {
		atomic_t refcount;
		enum mcast_group_state state;
		struct ib_sa_query *query;
		int query_id;
		u16 pkey_index;
		u8 leave_state;
		int retries;
		@@ -340,11 +339,7 @@ static int send_join(struct mcast_group group, struct mcast_member member)
		member->multicast.comp_mask,
		3000, GFP_KERNEL, join_handler, group,
		&group->query);
		if (ret >= 0) {
		group->query_id = ret;
		ret = 0;
		}
		return ret;
		return (ret > 0) ? 0 : ret;
		}

		static int send_leave(struct mcast_group *group, u8 leave_state)
		@@ -364,11 +359,7 @@ static int send_leave(struct mcast_group *group, u8 leave_state)
		IB_SA_MCMEMBER_REC_JOIN_STATE,
		3000, GFP_KERNEL, leave_handler,
		group, &group->query);
		if (ret >= 0) {
		group->query_id = ret;
		ret = 0;
		}
		return ret;
		return (ret > 0) ? 0 : ret;
		}

		static void join_group(struct mcast_group group, struct mcast_member member,