Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=23f1b38481596ad77e5f51562977b12c8418eee3
Commit:     23f1b38481596ad77e5f51562977b12c8418eee3
Parent:     0981582dbfae86ba0306406f1af329bb702752d2
Author:     Roland Dreier <[EMAIL PROTECTED]>
AuthorDate: Fri Jul 20 21:19:43 2007 -0700
Committer:  Roland Dreier <[EMAIL PROTECTED]>
CommitDate: Fri Jul 20 21:19:43 2007 -0700

    IB/mlx4: Fix error path in create_qp_common()
    
    The error handling code at err_wrid in create_qp_common() does not
    handle a userspace QP attached to an SRQ correctly, since it ends up
    in the else clause of the if statement.  This means it tries to
    kfree() the uninitialized qp->sq.wrid and qp->rq.wrid pointers.  Fix
    this so we only free the wrid arrays for kernel QPs.
    
    Pointed out by Michael S. Tsirkin <[EMAIL PROTECTED]>.
    
    Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
---
 drivers/infiniband/hw/mlx4/qp.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 5456bc4..f6315df 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -415,9 +415,11 @@ static int create_qp_common(struct mlx4_ib_dev *dev, 
struct ib_pd *pd,
        return 0;
 
 err_wrid:
-       if (pd->uobject && !init_attr->srq)
-               mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context), 
&qp->db);
-       else {
+       if (pd->uobject) {
+               if (!init_attr->srq)
+                       
mlx4_ib_db_unmap_user(to_mucontext(pd->uobject->context),
+                                             &qp->db);
+       } else {
                kfree(qp->sq.wrid);
                kfree(qp->rq.wrid);
        }
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to