RDMA/nes: Fix error handling issues
Fix issues found by static code analysis:
(1) Check if cm_node was successfully created for loopback connection.
(2) schedule_nes_timer() does not free up allocated memory after
encountering an error. There is a WARN_ON() for this condition.
(3) there is a cm_node->freed flag which is set but not used.
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Faisal Latif <faisal.latif@intel.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
diff --git a/drivers/infiniband/hw/nes/nes_cm.c b/drivers/infiniband/hw/nes/nes_cm.c
index 7c94247..a09caf5 100644
--- a/drivers/infiniband/hw/nes/nes_cm.c
+++ b/drivers/infiniband/hw/nes/nes_cm.c
@@ -426,6 +426,7 @@
if (type == NES_TIMER_TYPE_CLOSE) {
new_send->timetosend += (HZ/10);
if (cm_node->recv_entry) {
+ kfree(new_send);
WARN_ON(1);
return -EINVAL;
}
@@ -1262,7 +1263,6 @@
cm_node->nesqp = NULL;
}
- cm_node->freed = 1;
kfree(cm_node);
return 0;
}
@@ -1999,13 +1999,17 @@
if (loopbackremotelistener == NULL) {
create_event(cm_node, NES_CM_EVENT_ABORTED);
} else {
- atomic_inc(&cm_loopbacks);
loopback_cm_info = *cm_info;
loopback_cm_info.loc_port = cm_info->rem_port;
loopback_cm_info.rem_port = cm_info->loc_port;
loopback_cm_info.cm_id = loopbackremotelistener->cm_id;
loopbackremotenode = make_cm_node(cm_core, nesvnic,
&loopback_cm_info, loopbackremotelistener);
+ if (!loopbackremotenode) {
+ rem_ref_cm_node(cm_node->cm_core, cm_node);
+ return NULL;
+ }
+ atomic_inc(&cm_loopbacks);
loopbackremotenode->loopbackpartner = cm_node;
loopbackremotenode->tcp_cntxt.rcv_wscale =
NES_CM_DEFAULT_RCV_WND_SCALE;