aboutsummaryrefslogtreecommitdiff
path: root/drivers/infiniband/hw/amso1100
diff options
context:
space:
mode:
authorEric Sesterhenn <snakebyte@gmx.de>2006-09-28 10:38:32 -0700
committerRoland Dreier <rolandd@cisco.com>2006-09-28 10:38:32 -0700
commit44334bd97e76662c5f40c629357e6acc4dee3e8a (patch)
treea64a99877e65dcc86b28a45a28c2ca9cb2111126 /drivers/infiniband/hw/amso1100
parent6edf602341cd8f6e79479ff7f5bca72562c1f608 (diff)
RDMA/amso1100: Fix error path in c2_llp_accept()
Another NULL dereference spotted by the Coverity checker (cid #1395): In case we can't alloc the vq_req, we goto bail1, where we call vq_req_free(c2dev, vq_req); which then dereferences vq_req. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Acked-by: Tom Tucker <tom@opengridcomputing.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/hw/amso1100')
-rw-r--r--drivers/infiniband/hw/amso1100/c2_cm.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/drivers/infiniband/hw/amso1100/c2_cm.c b/drivers/infiniband/hw/amso1100/c2_cm.c
index 485254efdd1..75b93e9b881 100644
--- a/drivers/infiniband/hw/amso1100/c2_cm.c
+++ b/drivers/infiniband/hw/amso1100/c2_cm.c
@@ -302,7 +302,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
vq_req = vq_req_alloc(c2dev);
if (!vq_req) {
err = -ENOMEM;
- goto bail1;
+ goto bail0;
}
vq_req->qp = qp;
vq_req->cm_id = cm_id;
@@ -311,7 +311,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL);
if (!wr) {
err = -ENOMEM;
- goto bail2;
+ goto bail1;
}
/* Build the WR */
@@ -331,7 +331,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
/* Validate private_data length */
if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) {
err = -EINVAL;
- goto bail2;
+ goto bail1;
}
if (iw_param->private_data) {
@@ -348,19 +348,19 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
err = vq_send_wr(c2dev, (union c2wr *) wr);
if (err) {
vq_req_put(c2dev, vq_req);
- goto bail2;
+ goto bail1;
}
/* Wait for reply from adapter */
err = vq_wait_for_reply(c2dev, vq_req);
if (err)
- goto bail2;
+ goto bail1;
/* Check that reply is present */
reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg;
if (!reply) {
err = -ENOMEM;
- goto bail2;
+ goto bail1;
}
err = c2_errno(reply);
@@ -368,9 +368,8 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
if (!err)
c2_set_qp_state(qp, C2_QP_STATE_RTS);
- bail2:
- kfree(wr);
bail1:
+ kfree(wr);
vq_req_free(c2dev, vq_req);
bail0:
if (err) {