diff options
author | Mike Marciniszyn <mike.marciniszyn@intel.com> | 2016-08-16 13:26:29 -0700 |
---|---|---|
committer | Doug Ledford <dledford@redhat.com> | 2016-08-22 15:00:42 -0400 |
commit | 56c8ca510de2884b2f741e5fd8d3df6161378de6 (patch) | |
tree | eb5e5371b2811f9e26392fd05de2fd0efec7ebcf /drivers/infiniband | |
parent | 08fe16f6192bccd5798e9b60461f7aa151b34cd4 (diff) |
IB/rdmvat: Fix double vfree() in rvt_create_qp() error path
The unwind logic for creating a user QP has a double vfree
of the non-shared receive queue when handling a "too many qps"
failure.
The code unwinds the mmmap info by decrementing a reference
count which will call rvt_release_mmap_info() which in turn
does the vfree() of the r_rq.wq. The unwind code then does
the same free.
Fix by guarding the vfree() with the same test that is done
in close and only do the vfree() if qp->ip is NULL.
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers/infiniband')
-rw-r--r-- | drivers/infiniband/sw/rdmavt/qp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c index bdb540f25a88..870b4f212fbc 100644 --- a/drivers/infiniband/sw/rdmavt/qp.c +++ b/drivers/infiniband/sw/rdmavt/qp.c @@ -873,7 +873,8 @@ bail_qpn: free_qpn(&rdi->qp_dev->qpn_table, qp->ibqp.qp_num); bail_rq_wq: - vfree(qp->r_rq.wq); + if (!qp->ip) + vfree(qp->r_rq.wq); bail_driver_priv: rdi->driver_f.qp_priv_free(rdi, qp); |