From: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
Move the qp error handler to be near the rxe_create_qp.
Reported-by: syzbot+833061116fa28df97f3b@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Zhu Yanjun <yanjun.zhu@xxxxxxxxx>
---
drivers/infiniband/sw/rxe/rxe_qp.c | 14 ++++++++++----
drivers/infiniband/sw/rxe/rxe_verbs.c | 1 -
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index 22e9b85344c3..f73ca567a8b3 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -220,8 +220,7 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp,
&qp->sq.queue->ip);
if (err) {
- vfree(qp->sq.queue->buf);
- kfree(qp->sq.queue);
+ rxe_queue_cleanup(qp->sq.queue);
qp->sq.queue = NULL;
return err;
}
@@ -277,8 +276,7 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp,
qp->rq.queue->buf, qp->rq.queue->buf_size,
&qp->rq.queue->ip);
if (err) {
- vfree(qp->rq.queue->buf);
- kfree(qp->rq.queue);
+ rxe_queue_cleanup(qp->rq.queue);
qp->rq.queue = NULL;
return err;
}
@@ -341,6 +339,14 @@ int rxe_qp_from_init(struct rxe_dev *rxe, struct rxe_qp *qp, struct rxe_pd *pd,
return 0;
err2:
+ if (qp_type(qp) == IB_QPT_RC) {
+ del_timer_sync(&qp->retrans_timer);
+ del_timer_sync(&qp->rnr_nak_timer);
+ }
+
+ rxe_cleanup_task(&qp->req.task);
+ rxe_cleanup_task(&qp->comp.task);
+
rxe_queue_cleanup(qp->sq.queue);
qp->sq.queue = NULL;
err1:
diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index 9d995854a174..d0bc195b572f 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -432,7 +432,6 @@ static int rxe_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *init,
return 0;
qp_init:
- rxe_put(qp);
return err;
}
--
2.31.1
