From b2464fbf1f4c0922dd073f8d1ab7ce62e7fcbecf Mon Sep 17 00:00:00 2001
From: Matan Barak <matanb@mellanox.com>
Date: Tue, 29 Jul 2014 16:42:37 +0300
Subject: [PATCH] IB/core: Fix memory leak in cm_req_handler error flows

In cm_req_handler error flows, sometimes
cm_id_priv->timewait_info isn't free'd.

Thanks to Yohad Tor for this fix.

Signed-off-by: Matan Barak <matanb@mellanox.com>
(Ported from Mellanox OFED 2.4)

Signed-off-by: Mukesh Kacker <mukesh.kacker@oracle.com>
---
 drivers/infiniband/core/cm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
index 8947def09b1c..302bf8c93eb5 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -1553,8 +1553,7 @@ static int cm_req_handler(struct cm_work *work)
 	listen_cm_id_priv = cm_match_req(work, cm_id_priv);
 	if (!listen_cm_id_priv) {
 		ret = -EINVAL;
-		kfree(cm_id_priv->timewait_info);
-		goto destroy;
+		goto free_timeinfo;
 	}
 
 	cm_id_priv->id.cm_handler = listen_cm_id_priv->id.cm_handler;
@@ -1607,6 +1606,8 @@ static int cm_req_handler(struct cm_work *work)
 rejected:
 	atomic_dec(&cm_id_priv->refcount);
 	cm_deref_id(listen_cm_id_priv);
+free_timeinfo:
+	kfree(cm_id_priv->timewait_info);
 destroy:
 	ib_destroy_cm_id(cm_id);
 	return ret;
-- 
2.50.1