[PATCH 4.11 086/115] RDMA/srp: Fix NULL deref at srp_destroy_qp()

From: Greg Kroah-Hartman
Date: Mon Jun 05 2017 - 12:39:00 EST


4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Israel Rukshin <israelr@xxxxxxxxxxxx>

commit 95c2ef50c726a51d580c35ae8dccd383abaa8701 upstream.

If srp_init_qp() fails at srp_create_ch_ib() then ch->send_cq
may be NULL.
Calling directly to ib_destroy_qp() is sufficient because
no work requests were posted on the created qp.

Fixes: 9294000d6d89 ("IB/srp: Drain the send queue before destroying a QP")
Signed-off-by: Israel Rukshin <israelr@xxxxxxxxxxxx>
Reviewed-by: Max Gurtovoy <maxg@xxxxxxxxxxxx>
Reviewed-by: Bart van Assche <bart.vanassche@xxxxxxxxxxx>--
Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/infiniband/ulp/srp/ib_srp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -570,7 +570,7 @@ static int srp_create_ch_ib(struct srp_r
return 0;

err_qp:
- srp_destroy_qp(ch, qp);
+ ib_destroy_qp(qp);

err_send_cq:
ib_free_cq(send_cq);