From: Mike Marciniszyn Date: Tue, 16 Aug 2016 20:26:29 +0000 (-0700) Subject: IB/rdmvat: Fix double vfree() in rvt_create_qp() error path X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=56c8ca510de2884b2f741e5fd8d3df6161378de6;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git IB/rdmvat: Fix double vfree() in rvt_create_qp() error path The unwind logic for creating a user QP has a double vfree of the non-shared receive queue when handling a "too many qps" failure. The code unwinds the mmmap info by decrementing a reference count which will call rvt_release_mmap_info() which in turn does the vfree() of the r_rq.wq. The unwind code then does the same free. Fix by guarding the vfree() with the same test that is done in close and only do the vfree() if qp->ip is NULL. Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford --- diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c index bdb540f25a88..870b4f212fbc 100644 --- a/drivers/infiniband/sw/rdmavt/qp.c +++ b/drivers/infiniband/sw/rdmavt/qp.c @@ -873,7 +873,8 @@ bail_qpn: free_qpn(&rdi->qp_dev->qpn_table, qp->ibqp.qp_num); bail_rq_wq: - vfree(qp->r_rq.wq); + if (!qp->ip) + vfree(qp->r_rq.wq); bail_driver_priv: rdi->driver_f.qp_priv_free(rdi, qp);