[ofa-general] [PATCH] IB/mlx4: fix oops in qp allocation for srq case

[Michael S. Tsirkin]

Don't pass 0 size to kmalloc if qp->rq.wqe_cnt == 0 (e.g. for SRQ).

Note: initializing sq.wrid and rq.wrid to NULL at top helps keep error handling
simple, and also fixes what seems like a bug in create_qp_common error handling:
if srq is set for userspace, code at err_wrid would call kfree on wrid
arrays even though these have not been initialized.

Signed-off-by: Michael S. Tsirkin <mst at dev.mellanox.co.il>

---

This patch fixes the oops I reported earlier.

diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index b5a24fb..79e50e5 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -315,6 +315,8 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd,
 	qp->rq.tail	    = 0;
 	qp->sq.head	    = 0;
 	qp->sq.tail	    = 0;
+	qp->sq.wrid         = NULL;
+	qp->rq.wrid         = NULL;
 
 	err = set_rq_size(dev, &init_attr->cap, !!pd->uobject, !!init_attr->srq, qp);
 	if (err)
@@ -385,13 +387,18 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd,
 		if (err)
 			goto err_mtt;
 
-		qp->sq.wrid  = kmalloc(qp->sq.wqe_cnt * sizeof (u64), GFP_KERNEL);
-		qp->rq.wrid  = kmalloc(qp->rq.wqe_cnt * sizeof (u64), GFP_KERNEL);
-
-		if (!qp->sq.wrid || !qp->rq.wrid) {
+		qp->sq.wrid = kmalloc(qp->sq.wqe_cnt * sizeof (u64), GFP_KERNEL);
+		if (!qp->sq.wrid) {
 			err = -ENOMEM;
 			goto err_wrid;
 		}
+		if (qp->rq.wqe_cnt) {
+			qp->rq.wrid = kmalloc(qp->rq.wqe_cnt * sizeof (u64), GFP_KERNEL);
+			if (!qp->rq.wrid) {
+				err = -ENOMEM;
+				goto err_wrid;
+			}
+		}
 	}
 
 	err = mlx4_qp_alloc(dev->dev, sqpn, &qp->mqp);

-- 
MST