On 8/10/2018 12:06 AM, Jason Gunthorpe wrote:
mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
were written. Static checkers missed this because the struct was
un-necessarily created in a different function, so consolidate that too.
Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
---
drivers/infiniband/hw/mlx5/qp.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 6efd770797d121..5839ac0083fa07 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -772,14 +772,13 @@ static int adjust_bfregn(struct mlx5_ib_dev *dev,
static int create_user_qp(struct mlx5_ib_dev *dev, struct ib_pd *pd,
struct mlx5_ib_qp *qp, struct ib_udata *udata,
- struct ib_qp_init_attr *attr,
- u32 **in,
- struct mlx5_ib_create_qp_resp *resp, int *inlen,
+ struct ib_qp_init_attr *attr, u32 **in, int *inlen,
struct mlx5_ib_qp_base *base)
{
struct mlx5_ib_ucontext *context;
struct mlx5_ib_create_qp ucmd;
struct mlx5_ib_ubuffer *ubuffer = &base->ubuffer;
+ struct mlx5_ib_create_qp_resp resp = {};
int page_shift = 0;
int uar_index = 0;
int npages;
@@ -861,9 +860,9 @@ static int create_user_qp(struct mlx5_ib_dev *dev, struct ib_pd *pd,
MLX5_SET(qpc, qpc, uar_page, uar_index);
if (bfregn != MLX5_IB_INVALID_BFREG)
- resp->bfreg_index = adjust_bfregn(dev, &context->bfregi, bfregn);
+ resp.bfreg_index = adjust_bfregn(dev, &context->bfregi, bfregn);
else
- resp->bfreg_index = MLX5_IB_INVALID_BFREG;
+ resp.bfreg_index = MLX5_IB_INVALID_BFREG;
qp->bfregn = bfregn;
err = mlx5_ib_db_map_user(context, ucmd.db_addr, &qp->db);
@@ -872,7 +871,7 @@ static int create_user_qp(struct mlx5_ib_dev *dev, struct ib_pd *pd,
goto err_free;
}
- err = ib_copy_to_udata(udata, resp, min(udata->outlen, sizeof(*resp)));
+ err = ib_copy_to_udata(udata, &resp, min(udata->outlen, sizeof(resp)));
if (err) {
mlx5_ib_dbg(dev, "copy failed\n");
goto err_unmap;
@@ -1607,7 +1606,6 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
struct mlx5_ib_resources *devr = &dev->devr;
int inlen = MLX5_ST_SZ_BYTES(create_qp_in);
struct mlx5_core_dev *mdev = dev->mdev;
- struct mlx5_ib_create_qp_resp resp;
I would prefer leave it here and set the fix (i.e. = {}) instead of the
local 'resp' that this patch introduced as part of create_user_qp().
Down the road we plan some extensions to the response that will use this
field (e.g. as part of create_raw_packet_qp() below for TIR/TIS).
struct mlx5_ib_cq *send_cq;
struct mlx5_ib_cq *recv_cq;
unsigned long flags;
@@ -1763,7 +1761,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
return -EINVAL;
}
err = create_user_qp(dev, pd, qp, udata, init_attr, &in,
- &resp, &inlen, base);
+ &inlen, base);
if (err)
mlx5_ib_dbg(dev, "err %d\n", err);
} else {
