RDMA/nes: Free IRQ before killing tasklet

Move the free_irq() call in nes_remove() to before the tasklet_kill(); otherwise there is a window after tasklet_kill() where a new interrupt can be handled and reschedule the tasklet, leading to a use-after-free crash. Cc: <stable@kernel.org> Signed-off-by: Roland Dreier <rolandd@cisco.com>
git-mirror · Apr 17, 2008 · 4cd1e5e · 4cd1e5e
1 parent 940801b
commit 4cd1e5e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
@@ -744,13 +744,13 @@ static void __devexit nes_remove(struct pci_dev *pcidev)
 
 	list_del(&nesdev->list);
 	nes_destroy_cqp(nesdev);
+
+	free_irq(pcidev->irq, nesdev);
 	tasklet_kill(&nesdev->dpc_tasklet);
 
 	/* Deallocate the Adapter Structure */
 	nes_destroy_adapter(nesdev->nesadapter);
 
-	free_irq(pcidev->irq, nesdev);
-
 	if (nesdev->msi_enabled) {
 		pci_disable_msi(pcidev);
 	}