[ofa-general] [PATCH] mthca: Fix access to freed memory in catas processing

[Jack Morgenstein]

catas_reset() uses a pointer to mthca_dev, but mthca_dev may not be valid after
the call to __mthca_restart_one().

Based on a similar patch for mlx4 by Vitaliy Gusev <vgusev at openvz.org>

Signed-off-by: Jack Morgenstein <jackm at dev.mellanox.co.il>

---
Roland,
Here is the equivalent patch for mthca catas error processing.  Here, also, we need to
avoid accessing freed memory.

I allocated the "d" struct pointer, because I think that using the "dev" loop variable could
be problematic (I do not want to depend on the internals of "list_for_each_entry_safe").

diff --git a/drivers/infiniband/hw/mthca/mthca_catas.c b/drivers/infiniband/hw/mthca/mthca_catas.c
index 056b2a4..0aa0110 100644
--- a/drivers/infiniband/hw/mthca/mthca_catas.c
+++ b/drivers/infiniband/hw/mthca/mthca_catas.c
@@ -68,11 +68,16 @@ static void catas_reset(struct work_struct *work)
 	spin_unlock_irq(&catas_lock);
 
 	list_for_each_entry_safe(dev, tmpdev, &tlist, catas_err.list) {
+		struct pci_dev *pdev = dev->pdev;
 		ret = __mthca_restart_one(dev->pdev);
+		/* 'dev' now is not valid */
 		if (ret)
-			mthca_err(dev, "Reset failed (%d)\n", ret);
-		else
-			mthca_dbg(dev, "Reset succeeded\n");
+			printk(KERN_ERR "mthca %s: Reset failed (%d)\n",
+			       pci_name(pdev), ret);
+		else {
+			struct mthca_dev *d = pci_get_drvdata(pdev);
+			mthca_dbg(d, "Reset succeeded\n");
+		}
 	}
 
 	mutex_unlock(&mthca_device_mutex);