From: Ralph Campbell <ralph.campbell@qlogic.com>
Date: Fri, 27 Feb 2009 18:34:30 +0000 (-0800)
Subject: IB/mad: Fix null pointer dereference in local_completions()
X-Git-Tag: v2.6.30-rc1~665^2^6~2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d9bc6d648ece77ffb41c5a577eab81fac5ad4de;p=pandora-kernel.git

IB/mad: Fix null pointer dereference in local_completions()

handle_outgoing_dr_smp() can queue a struct ib_mad_local_private
*local on the mad_agent_priv->local_work work queue with
local->mad_priv == NULL if device->process_mad() returns
IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY and
(!ib_response_mad(&mad_priv->mad.mad) ||
!mad_agent_priv->agent.recv_handler).

In this case, local_completions() will be called with local->mad_priv
== NULL. The code does check for this case and skips calling
recv_mad_agent->agent.recv_handler() but recv == 0 so
kmem_cache_free() is called with a NULL pointer.

Also, since recv isn't reinitialized each time through the loop, it
can cause a memory leak if recv should have been zero.

Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
---

Reading git-diff-tree failed