RDMA/nes: Free IRQ before killing tasklet
authorRoland Dreier <rolandd@cisco.com>
Thu, 17 Apr 2008 04:09:34 +0000 (21:09 -0700)
committerRoland Dreier <rolandd@cisco.com>
Thu, 17 Apr 2008 04:09:34 +0000 (21:09 -0700)
Move the free_irq() call in nes_remove() to before the tasklet_kill();
otherwise there is a window after tasklet_kill() where a new interrupt
can be handled and reschedule the tasklet, leading to a use-after-free
crash.

Cc: <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
drivers/infiniband/hw/nes/nes.c

index 7a89cd7..b00b0e3 100644 (file)
@@ -744,13 +744,13 @@ static void __devexit nes_remove(struct pci_dev *pcidev)
 
        list_del(&nesdev->list);
        nes_destroy_cqp(nesdev);
+
+       free_irq(pcidev->irq, nesdev);
        tasklet_kill(&nesdev->dpc_tasklet);
 
        /* Deallocate the Adapter Structure */
        nes_destroy_adapter(nesdev->nesadapter);
 
-       free_irq(pcidev->irq, nesdev);
-
        if (nesdev->msi_enabled) {
                pci_disable_msi(pcidev);
        }