From: Roland Dreier <roland@eddore.topspincom.com>
Date: Sat, 10 Sep 2005 03:52:00 +0000 (-0700)
Subject: [PATCH] IB: fix CM use-after-free
X-Git-Tag: v2.6.14-rc1~115^2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b205c2d2464bfecbba80227e74b412596dc5521;p=pandora-kernel.git

[PATCH] IB: fix CM use-after-free

If the CM REQ handling function gets to error2, then it frees
cm_id_priv->timewait_info.  But the next line goes through
ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
which ends up calling cm_cleanup_timewait(), which dereferences the
pointer we just freed.  Make sure we clear cm_id_priv->timewait_info
after freeing it, so that doesn't happen.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
---

Reading git-diff-tree failed