IB/mlx4: Fix error path in create_qp_common()
The error handling code at err_wrid in create_qp_common() does not handle a userspace QP attached to an SRQ correctly, since it ends up in the else clause of the if statement. This means it tries to kfree() the uninitialized qp->sq.wrid and qp->rq.wrid pointers. Fix this so we only free the wrid arrays for kernel QPs. Pointed out by Michael S. Tsirkin <mst@dev.mellanox.co.il>. Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
Roland Dreier
parent
0981582dbf
commit
23f1b38481
1 changed files with 5 additions and 3 deletions
|
|
@ -415,9 +415,11 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd,
|
|||
return 0;
|
||||
|
||||
err_wrid:
|
||||
if (pd->uobject && !init_attr->srq)
|
||||
mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context), &qp->db);
|
||||
else {
|
||||
if (pd->uobject) {
|
||||
if (!init_attr->srq)
|
||||
mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context),
|
||||
&qp->db);
|
||||
} else {
|
||||
kfree(qp->sq.wrid);
|
||||
kfree(qp->rq.wrid);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue