From: Roland Dreier Date: Thu, 17 Apr 2008 04:09:34 +0000 (-0700) Subject: RDMA/nes: Free IRQ before killing tasklet X-Git-Tag: firefly_0821_release~21633^2~7 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=4cd1e5eb3cbe6e0cc934959770b4c60eac6ecf66;p=firefly-linux-kernel-4.4.55.git RDMA/nes: Free IRQ before killing tasklet Move the free_irq() call in nes_remove() to before the tasklet_kill(); otherwise there is a window after tasklet_kill() where a new interrupt can be handled and reschedule the tasklet, leading to a use-after-free crash. Cc: Signed-off-by: Roland Dreier --- diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c index 7a89cd7327e2..b00b0e3a91dc 100644 --- a/drivers/infiniband/hw/nes/nes.c +++ b/drivers/infiniband/hw/nes/nes.c @@ -744,13 +744,13 @@ static void __devexit nes_remove(struct pci_dev *pcidev) list_del(&nesdev->list); nes_destroy_cqp(nesdev); + + free_irq(pcidev->irq, nesdev); tasklet_kill(&nesdev->dpc_tasklet); /* Deallocate the Adapter Structure */ nes_destroy_adapter(nesdev->nesadapter); - free_irq(pcidev->irq, nesdev); - if (nesdev->msi_enabled) { pci_disable_msi(pcidev); }