diff options
author | Roland Dreier <rolandd@cisco.com> | 2007-07-21 00:19:43 -0400 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2007-07-21 00:19:43 -0400 |
commit | 23f1b38481596ad77e5f51562977b12c8418eee3 (patch) | |
tree | 7df6cea98a135f5a85657f0dde882410cdfd5d7e /drivers/infiniband/hw/mlx4/qp.c | |
parent | 0981582dbfae86ba0306406f1af329bb702752d2 (diff) |
IB/mlx4: Fix error path in create_qp_common()
The error handling code at err_wrid in create_qp_common() does not
handle a userspace QP attached to an SRQ correctly, since it ends up
in the else clause of the if statement. This means it tries to
kfree() the uninitialized qp->sq.wrid and qp->rq.wrid pointers. Fix
this so we only free the wrid arrays for kernel QPs.
Pointed out by Michael S. Tsirkin <mst@dev.mellanox.co.il>.
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/hw/mlx4/qp.c')
-rw-r--r-- | drivers/infiniband/hw/mlx4/qp.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index 5456bc4aff7c..f6315dfb213e 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c | |||
@@ -415,9 +415,11 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd, | |||
415 | return 0; | 415 | return 0; |
416 | 416 | ||
417 | err_wrid: | 417 | err_wrid: |
418 | if (pd->uobject && !init_attr->srq) | 418 | if (pd->uobject) { |
419 | mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context), &qp->db); | 419 | if (!init_attr->srq) |
420 | else { | 420 | mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context), |
421 | &qp->db); | ||
422 | } else { | ||
421 | kfree(qp->sq.wrid); | 423 | kfree(qp->sq.wrid); |
422 | kfree(qp->rq.wrid); | 424 | kfree(qp->rq.wrid); |
423 | } | 425 | } |