RDMA/amso1100: Fix error path in c2_llp_accept()

Another NULL dereference spotted by the Coverity checker (cid #1395): In case we can't alloc the vq_req, we goto bail1, where we call vq_req_free(c2dev, vq_req); which then dereferences vq_req. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Acked-by: Tom Tucker <tom@opengridcomputing.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>

RDMA/amso1100: Fix error path in c2_llp_accept()
Another NULL dereference spotted by the Coverity checker (cid #1395): In case we can't alloc the vq_req, we goto bail1, where we call vq_req_free(c2dev, vq_req); which then dereferences vq_req. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Acked-by: Tom Tucker <tom@opengridcomputing.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
44334bd9 · Eric Sesterhenn · Roland Dreier · 6edf6023 · 44334bd9
Commit 44334bd9 authored Sep 28, 2006 by Eric Sesterhenn Committed by Roland Dreier Sep 28, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 8 deletions

drivers/infiniband/hw/amso1100/c2_cm.c drivers/infiniband/hw/amso1100/c2_cm.c +7 -8

No files found.
--- a/drivers/infiniband/hw/amso1100/c2_cm.c
+++ b/drivers/infiniband/hw/amso1100/c2_cm.c
@@ -302,7 +302,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
 	vq_req = vq_req_alloc(c2dev);
 	if (!vq_req) {
 		err = -ENOMEM;
-		goto bail1;
+		goto bail0;
 	}
 	vq_req->qp = qp;
 	vq_req->cm_id = cm_id;
@@ -311,7 +311,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
 	wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL);
 	if (!wr) {
 		err = -ENOMEM;
-		goto bail2;
+		goto bail1;
 	}
 	/* Build the WR */
@@ -331,7 +331,7 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
 	/* Validate private_data length */
 	if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) {
 		err = -EINVAL;
-		goto bail2;
+		goto bail1;
 	}
 	if (iw_param->private_data) {
@@ -348,19 +348,19 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
 	err = vq_send_wr(c2dev, (union c2wr *) wr);
 	if (err) {
 		vq_req_put(c2dev, vq_req);
-		goto bail2;
+		goto bail1;
 	}
 	/* Wait for reply from adapter */
 	err = vq_wait_for_reply(c2dev, vq_req);
 	if (err)
-		goto bail2;
+		goto bail1;
 	/* Check that reply is present */
 	reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg;
 	if (!reply) {
 		err = -ENOMEM;
-		goto bail2;
+		goto bail1;
 	}
 	err = c2_errno(reply);
@@ -368,9 +368,8 @@ int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
 	if (!err)
 		c2_set_qp_state(qp, C2_QP_STATE_RTS);
- bail2:
-	kfree(wr);
 bail1:
+	kfree(wr);
 	vq_req_free(c2dev, vq_req);
 bail0:
 	if (err) {