From: Mustafa Ismail <mustafa.ismail@intel.com>
Date: Tue, 23 Aug 2016 22:24:56 +0000 (-0500)
Subject: i40iw: Avoid writing to freed memory
X-Git-Tag: v4.7.7~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bdb4f53663f5b218f2db48d7344845e569b7169;p=thirdparty%2Fkernel%2Fstable.git

i40iw: Avoid writing to freed memory

commit 433c58139f6a7d59824aadd23d6c9cac1d4e6100 upstream.

iwpbl->iwmr points to the structure that contains iwpbl,
which is iwmr. Setting this to NULL would result in
writing to freed memory. So just free iwmr, and return.

Fixes: d37498417947 ("i40iw: add files for iwarp interface")

Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
index d2a479cdb1416..f24bfbdddfaaf 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
@@ -1924,8 +1924,7 @@ static int i40iw_dereg_mr(struct ib_mr *ib_mr)
 		}
 		if (iwpbl->pbl_allocated)
 			i40iw_free_pble(iwdev->pble_rsrc, palloc);
-		kfree(iwpbl->iwmr);
-		iwpbl->iwmr = NULL;
+		kfree(iwmr);
 		return 0;
 	}