IB/rdmavt: Only put mmap_info ref if it exists

rvt_create_qp() creates qp->ip only when a qp creation request comes from
userspace (udata is not NULL).  If we exceed the number of available
queue pairs however, the error path always attempts to put a kref to this
structure.  If the requestor is inside the kernel, this leads to a crash.

We fix this by checking that qp->ip is not NULL before caling kref_put().

Signed-off-by: Jim Foraker <foraker1@llnl.gov>
Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Acked-by: Jonathan Toppins <jtoppins@redhat.com>
Acked-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>

diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c
index 9e14addd690c65fca9024b7cde58aa05748a2c5e..2a13ac660f2ba44dae639a2ac3cb5adfbc3bc418 100644 (file)
--- a/drivers/infiniband/sw/rdmavt/qp.c
+++ b/drivers/infiniband/sw/rdmavt/qp.c
@@ -901,7 +901,8 @@ struct ib_qp *rvt_create_qp(struct ib_pd *ibpd,
        return ret;
 
 bail_ip:
-       kref_put(&qp->ip->ref, rvt_release_mmap_info);
+       if (qp->ip)
+               kref_put(&qp->ip->ref, rvt_release_mmap_info);
 
 bail_qpn:
        free_qpn(&rdi->qp_dev->qpn_table, qp->ibqp.qp_num);