IB/mthca: Fix access to freed memory in catastrophic event handling
Jack Morgenstein [Thu, 24 Sep 2009 18:55:41 +0000 (11:55 -0700)]
catas_reset() uses a pointer to mthca_dev, but mthca_dev is not valid
after the call to __mthca_restart_one().

Based on a similar patch for mlx4 (634354d7, "mlx4: Fix access to
freed memory") by Vitaliy Gusev <vgusev@openvz.org>

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

drivers/infiniband/hw/mthca/mthca_catas.c

index 056b2a4..0aa0110 100644 (file)
@@ -68,11 +68,16 @@ static void catas_reset(struct work_struct *work)
        spin_unlock_irq(&catas_lock);
 
        list_for_each_entry_safe(dev, tmpdev, &tlist, catas_err.list) {
+               struct pci_dev *pdev = dev->pdev;
                ret = __mthca_restart_one(dev->pdev);
+               /* 'dev' now is not valid */
                if (ret)
-                       mthca_err(dev, "Reset failed (%d)\n", ret);
-               else
-                       mthca_dbg(dev, "Reset succeeded\n");
+                       printk(KERN_ERR "mthca %s: Reset failed (%d)\n",
+                              pci_name(pdev), ret);
+               else {
+                       struct mthca_dev *d = pci_get_drvdata(pdev);
+                       mthca_dbg(d, "Reset succeeded\n");
+               }
        }
 
        mutex_unlock(&mthca_device_mutex);