IB/mlx4: Fix error path in create_qp_common()

The error handling code at err_wrid in create_qp_common() does not
handle a userspace QP attached to an SRQ correctly, since it ends up
in the else clause of the if statement.  This means it tries to
kfree() the uninitialized qp->sq.wrid and qp->rq.wrid pointers.  Fix
this so we only free the wrid arrays for kernel QPs.

Pointed out by Michael S. Tsirkin <mst@dev.mellanox.co.il>.

Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 5456bc4aff7c85bd819fd98087002002904ca9d9..f6315dfb213ec8638a2e239272cd77848175773c 100644 (file)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -415,9 +415,11 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd,
        return 0;
 
 err_wrid:
-       if (pd->uobject && !init_attr->srq)
-               mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context), &qp->db);
-       else {
+       if (pd->uobject) {
+               if (!init_attr->srq)
+                       mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context),
+                                             &qp->db);
+       } else {
                kfree(qp->sq.wrid);
                kfree(qp->rq.wrid);
        }