aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/infiniband/hw/mlx4/qp.c
diff options
context:
space:
mode:
authorRoland Dreier <rolandd@cisco.com>2007-07-21 00:19:43 -0400
committerRoland Dreier <rolandd@cisco.com>2007-07-21 00:19:43 -0400
commit23f1b38481596ad77e5f51562977b12c8418eee3 (patch)
tree7df6cea98a135f5a85657f0dde882410cdfd5d7e /drivers/infiniband/hw/mlx4/qp.c
parent0981582dbfae86ba0306406f1af329bb702752d2 (diff)
IB/mlx4: Fix error path in create_qp_common()
The error handling code at err_wrid in create_qp_common() does not handle a userspace QP attached to an SRQ correctly, since it ends up in the else clause of the if statement. This means it tries to kfree() the uninitialized qp->sq.wrid and qp->rq.wrid pointers. Fix this so we only free the wrid arrays for kernel QPs. Pointed out by Michael S. Tsirkin <mst@dev.mellanox.co.il>. Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/hw/mlx4/qp.c')
-rw-r--r--drivers/infiniband/hw/mlx4/qp.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 5456bc4aff7c..f6315dfb213e 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -415,9 +415,11 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd,
415 return 0; 415 return 0;
416 416
417err_wrid: 417err_wrid:
418 if (pd->uobject && !init_attr->srq) 418 if (pd->uobject) {
419 mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context), &qp->db); 419 if (!init_attr->srq)
420 else { 420 mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context),
421 &qp->db);
422 } else {
421 kfree(qp->sq.wrid); 423 kfree(qp->sq.wrid);
422 kfree(qp->rq.wrid); 424 kfree(qp->rq.wrid);
423 } 425 }