IB/core: Fix memory leak in cm_req_handler error flows
authorMatan Barak <matanb@mellanox.com>
Tue, 14 Nov 2017 12:51:57 +0000 (14:51 +0200)
committerJason Gunthorpe <jgg@mellanox.com>
Mon, 18 Dec 2017 22:37:05 +0000 (15:37 -0700)
In cm_req_handler error flows, sometimes cm_id_priv->timewait_info
isn't free'd.

Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Mukesh Kacker <mukesh.kacker@oracle.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
drivers/infiniband/core/cm.c

index 1cafa8350c52a7c4bacdc35903c04445f08f2392..dbbebbb5c315a5242ad72e7d1e04a2725ebec9bc 100644 (file)
@@ -1876,8 +1876,7 @@ static int cm_req_handler(struct cm_work *work)
        listen_cm_id_priv = cm_match_req(work, cm_id_priv);
        if (!listen_cm_id_priv) {
                ret = -EINVAL;
-               kfree(cm_id_priv->timewait_info);
-               goto destroy;
+               goto free_timeinfo;
        }
 
        cm_id_priv->id.cm_handler = listen_cm_id_priv->id.cm_handler;
@@ -1979,6 +1978,8 @@ static int cm_req_handler(struct cm_work *work)
 rejected:
        atomic_dec(&cm_id_priv->refcount);
        cm_deref_id(listen_cm_id_priv);
+free_timeinfo:
+       kfree(cm_id_priv->timewait_info);
 destroy:
        ib_destroy_cm_id(cm_id);
        return ret;