From 092d2a8e58cad4c9cac3dc573f5af6409d2d1ce6 Mon Sep 17 00:00:00 2001
From: Alistair Popple <alistair@popple.id.au>
Date: Thu, 18 Jun 2015 11:00:34 +1000
Subject: ipmi/sel: Fix use after free

The message was sometimes re-queued and always freed. Hilarity ensues.

Signed-off-by: Alistair Popple <alistair@popple.id.au>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
---
 hw/ipmi/ipmi-sel.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'hw/ipmi')

diff --git a/hw/ipmi/ipmi-sel.c b/hw/ipmi/ipmi-sel.c
index 8851dc3..7007f83 100644
--- a/hw/ipmi/ipmi-sel.c
+++ b/hw/ipmi/ipmi-sel.c
@@ -69,10 +69,10 @@ static void ipmi_elog_error(struct ipmi_msg *msg)
 	if (msg->cc == IPMI_LOST_ARBITRATION_ERR)
 		/* Retry due to SEL erase */
 		ipmi_queue_msg(msg);
-	else
+	else {
 		opal_elog_complete(msg->user_data, false);
-
-	ipmi_free_msg(msg);
+		ipmi_free_msg(msg);
+	}
 }
 
 /* Goes through the required steps to add a complete eSEL:
-- 
cgit v1.1