Commit cab66d12 authored Feb 04, 2013 by Dan Carpenter Committed by Roland Dreier Feb 15, 2013

IB/mlx4: Fix bug unwinding on error in mlx4_ib_init_sriov()



We have to decrement "i" before calling mlx4_ib_free_demux_ctx() or we
free something that wasn't allocated.  That's fine for free_pv_object()
but it would lead to a NULL dereference calling mlx4_ib_free_demux_ctx().
The null dereference is because ->tun is NULL when we check:

	if (!ctx->tun[i])

Also we didn't free ->sriov.demux[0] so it was a small leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>

parent 836dc9e3

drivers/infiniband/hw/mlx4/mad.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -1999,16 +1999,17 @@ int mlx4_ib_init_sriov(struct mlx4_ib_dev *dev)
		goto demux_err;
		err = mlx4_ib_alloc_demux_ctx(dev, &dev->sriov.demux[i], i + 1);
		if (err)
		goto demux_err;
		goto free_pv;
		}
		mlx4_ib_master_tunnels(dev, 1);
		return 0;

		free_pv:
		free_pv_object(dev, mlx4_master_func_num(dev->dev), i + 1);
		demux_err:
		while (i > 0) {
		while (--i >= 0) {
		free_pv_object(dev, mlx4_master_func_num(dev->dev), i + 1);
		mlx4_ib_free_demux_ctx(&dev->sriov.demux[i]);
		--i;
		}
		mlx4_ib_device_unregister_sysfs(dev);