IB/mlx4: Fix off-by-one errors in calls to mlx4_ib_free_cq_buf()

When I merged bbf8eed1 ("IB/mlx4: Add support for resizing CQs") I
changed things around so that mlx4_ib_alloc_cq_buf() and
mlx4_ib_free_cq_buf() were used everywhere they could be.  However, I
screwed up the number of entries passed into mlx4_ib_alloc_cq_buf()
in a couple places -- the function bumps the number of entries
internally, so the caller shouldn't add 1 as well.

Passing a too-big value for the number of entries to mlx4_ib_free_cq_buf()
can cause the cleanup to go off the end of an array and corrupt
allocator state in interesting ways.

Signed-off-by: Roland Dreier <rolandd@cisco.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/drivers/infiniband/hw/mlx4/cq.c b/drivers/infiniband/hw/mlx4/cq.c
index 2f199c5c4a72..4521319b1406 100644
--- a/drivers/infiniband/hw/mlx4/cq.c
+++ b/drivers/infiniband/hw/mlx4/cq.c
@@ -246,7 +246,7 @@ err_mtt:
         if (context)
                 ib_umem_release(cq->umem);
         else
-                mlx4_ib_free_cq_buf(dev, &cq->buf, entries);
+                mlx4_ib_free_cq_buf(dev, &cq->buf, cq->ibcq.cqe);
 
 err_db:
         if (!context)
@@ -434,7 +434,7 @@ int mlx4_ib_destroy_cq(struct ib_cq *cq)
                 mlx4_ib_db_unmap_user(to_mucontext(cq->uobject->context), &mcq->db);
                 ib_umem_release(mcq->umem);
         } else {
-                mlx4_ib_free_cq_buf(dev, &mcq->buf, cq->cqe + 1);
+                mlx4_ib_free_cq_buf(dev, &mcq->buf, cq->cqe);
                 mlx4_db_free(dev->dev, &mcq->db);
         }