[ofa-general] Re: [PATCH] IB/mlx4: fix oops in qp allocation for srq case
Roland Dreier
rdreier at cisco.com
Fri Jul 20 20:55:39 PDT 2007
(BTW, the kmalloc(0) crash should be fixed in Linus's latest git)
> the bug in error handling is real though, isn't it?
yes, quite right. I queued this up:
commit 597869e4dafbb05a69f571e5109f06245807ed6c
Author: Roland Dreier <rolandd at cisco.com>
Date: Fri Jul 20 20:54:30 2007 -0700
IB/mlx4: Fix error path in create_qp_common()
The error handling code at err_wrid in create_qp_common() does not
handle a userspace QP attached to an SRQ correctly, since it ends up
in the else clause of the if statement. This means it tries to
kfree() the uninitialized qp->sq.wrid and qp->rq.wrid pointers. Fix
this so we only free the wrid arrays for kernel QPs.
Pointed out by Michael S. Tsirkin <mst at dev.mellanox.co.il>.
Signed-off-by: Roland Dreier <rolandd at cisco.com>
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 5456bc4..f6315df 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -415,9 +415,11 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd,
return 0;
err_wrid:
- if (pd->uobject && !init_attr->srq)
- mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context), &qp->db);
- else {
+ if (pd->uobject) {
+ if (!init_attr->srq)
+ mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context),
+ &qp->db);
+ } else {
kfree(qp->sq.wrid);
kfree(qp->rq.wrid);
}
More information about the general
mailing list