RDMA/srp: Fix NULL deref at srp_destroy_qp()
authorIsrael Rukshin <israelr@mellanox.com>
Thu, 11 May 2017 15:52:36 +0000 (18:52 +0300)
committerDoug Ledford <dledford@redhat.com>
Thu, 1 Jun 2017 21:20:10 +0000 (17:20 -0400)
If srp_init_qp() fails at srp_create_ch_ib() then ch->send_cq
may be NULL.
Calling directly to ib_destroy_qp() is sufficient because
no work requests were posted on the created qp.

Fixes: 9294000d6d89 ("IB/srp: Drain the send queue before destroying a QP")
Cc: <stable@vger.kernel.org>
Signed-off-by: Israel Rukshin <israelr@mellanox.com>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Bart van Assche <bart.vanassche@sandisk.com>--
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/ulp/srp/ib_srp.c

index def723a5df29fa72342ed5e52ec7fa35fa54375c..4306285fb1555259ded16db5760b244e048ee951 100644 (file)
@@ -575,7 +575,7 @@ static int srp_create_ch_ib(struct srp_rdma_ch *ch)
        return 0;
 
 err_qp:
-       srp_destroy_qp(ch, qp);
+       ib_destroy_qp(qp);
 
 err_send_cq:
        ib_free_cq(send_cq);