From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754904AbdBRVSd (ORCPT <rfc822;w@1wt.eu>);
        Sat, 18 Feb 2017 16:18:33 -0500
Received: from mout.web.de ([212.227.15.3]:59277 "EHLO mout.web.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753833AbdBRVS2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 18 Feb 2017 16:18:28 -0500
Subject: [PATCH 28/29] IB/mlx5: Less function calls in create_kernel_qp()
 after error detection
To: linux-rdma@vger.kernel.org, Doug Ledford <dledford@redhat.com>,
        Hal Rosenstock <hal.rosenstock@gmail.com>,
        Leon Romanovsky <leonro@mellanox.com>,
        Matan Barak <matanb@mellanox.com>, Sean Hefty <sean.hefty@intel.com>,
        Yishai Hadas <yishaih@mellanox.com>
References: <1935365a-bd7c-461e-6a84-0c5d3a501fff@users.sourceforge.net>
Cc: LKML <linux-kernel@vger.kernel.org>, kernel-janitors@vger.kernel.org
From: SF Markus Elfring <elfring@users.sourceforge.net>
Message-ID: <01c34ad6-5a61-84dd-8749-ea2b69eb2381@users.sourceforge.net>
Date: Sat, 18 Feb 2017 22:18:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <1935365a-bd7c-461e-6a84-0c5d3a501fff@users.sourceforge.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:9dLEVyGgQ7X2R2g2ovA9p2CyCQZTjCk+FK32bgN2BGzA8QVOdcZ
 lP3LWfhh/MMsp1UAQKveNMYCpaxDmCXAGftN9KP+QrPQjzqMU39L3R8J5v+Ol3O026CDkdW
 7WlsmjmZ+N6aTSCDvKGknoOz8Ej9qix8EJaPhHak/J9xulvT0tV3C42YqM6uUTrTMrUSnsL
 jSfn19rC2SiwtjOUTVa2A==
X-UI-Out-Filterresults: notjunk:1;V01:K0:2Jxhp6Ggw9c=:R8wb3xVTee6V5ZlNTwiWl9
 QUWdQ2RD99KTt/V/7qMRyyeeqbP78riWPWnQ117E4yzFHo+zoGDuWrvN4E3PVJQGp6dN4PmwQ
 k8XQvdslQXOvCv2wTUACUSz0UYuGbXZTvgaq1JcC8/biZ+liEL8xVKtdKPqIDSYJGl1PjkhWf
 GLtab5JmazAIw19whYZ34mveaBZrzlLCGK097ITo4QFTAf4CfhL45Blo6YYL1QFtbpEFUOWha
 OrECZRWT+ErDv/nK2kJeZCUXd9OM94KuIKUhAIaMFetu9tKbBONri6UDojZZLGWMThZZYaZS9
 i9xAmyYmOO/GQiq0JVCIgGMYX7lpPKPvSFaPbmClsAnktdQDVUnFLxq5Sx+G5CQawXCKwJbws
 Re97/UYjY9HrJ27HUKt3XbN/CXqGGfeVDjlvMw66oawklxBLq2GAzondhhxH8YQHgy0ghSAPR
 FjrMP5xJWAQDqJOpPq/zo6spMrbf0K8smQTc+a1RXJwfzn+yKk80Gh8tCbBEiCIiDXd4UEGDe
 jK2paZ0F37+oqBKTTkBVIbJNmOmAsZ5xPXdP2Rsd3yv7nNSJkToGEyRjCuz20DKbrQI12N0N1
 2e4yDyspqfssQmD8SBt4zGiQ+fi5B6bvykyKihdNSZ7u9japNxpe4yHabu4zc0KuJVfQSgRBC
 xDA4OL/MQS+jY/+iHw3R+zep5iyJmmoZsS87cvHCxiAgdXZuIVtMSaWNaAJN5BdTN7+hiMAoa
 m/Ly5u/KqbIVtRiAH6iHgbePPQ/WOKO6gAYd5GY1CMI8KvBiSK3c+z3XPuyItq+E3jL+cuP7n
 2KQnfVp
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Markus Elfring <elfring@users.sourceforge.net>
Date: Sat, 18 Feb 2017 21:00:50 +0100

The kfree() function was called in up to five cases
by the create_kernel_qp() function during error handling
even if the passed data structure member contained a null pointer.

* Adjust jump targets according to the Linux coding style convention.

* Split a condition check for memory allocation failures so that
  each pointer from these function calls will be checked immediately.

  See also background information:
  Topic "CWE-754: Improper check for unusual or exceptional conditions"
  Link: https://cwe.mitre.org/data/definitions/754.html

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
 drivers/infiniband/hw/mlx5/qp.c | 43 ++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index e6e9b468b206..c47afce5fc6a 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -930,7 +930,7 @@ static int create_kernel_qp(struct mlx5_ib_dev *dev,
 	*in = mlx5_vzalloc(*inlen);
 	if (!*in) {
 		err = -ENOMEM;
-		goto err_buf;
+		goto free_buffer;
 	}
 
 	qpc = MLX5_ADDR_OF(create_qp_in, *in, qpc);
@@ -952,45 +952,56 @@ static int create_kernel_qp(struct mlx5_ib_dev *dev,
 	err = mlx5_db_alloc(dev->mdev, &qp->db);
 	if (err) {
 		mlx5_ib_dbg(dev, "err %d\n", err);
-		goto err_free;
+		goto vfree_in;
 	}
 
 	qp->sq.wrid = kmalloc_array(qp->sq.wqe_cnt,
 				    sizeof(*qp->sq.wrid),
 				    GFP_KERNEL);
+	if (!qp->sq.wrid)
+		goto free_db;
+
 	qp->sq.wr_data = kmalloc_array(qp->sq.wqe_cnt,
 				       sizeof(*qp->sq.wr_data),
 				       GFP_KERNEL);
+	if (!qp->sq.wr_data)
+		goto free_sq_wrid;
+
 	qp->rq.wrid = kmalloc_array(qp->rq.wqe_cnt,
 				    sizeof(*qp->rq.wrid),
 				    GFP_KERNEL);
+	if (!qp->rq.wrid)
+		goto free_sq_wr_data;
+
 	qp->sq.w_list = kmalloc_array(qp->sq.wqe_cnt,
 				      sizeof(*qp->sq.w_list),
 				      GFP_KERNEL);
+	if (!qp->sq.w_list)
+		goto free_rq_wrid;
+
 	qp->sq.wqe_head = kmalloc_array(qp->sq.wqe_cnt,
 					sizeof(*qp->sq.wqe_head),
 					GFP_KERNEL);
-	if (!qp->sq.wrid || !qp->sq.wr_data || !qp->rq.wrid ||
-	    !qp->sq.w_list || !qp->sq.wqe_head) {
-		err = -ENOMEM;
-		goto err_wrid;
-	}
+	if (!qp->sq.wqe_head)
+		goto free_sq_w_list;
+
 	qp->create_type = MLX5_QP_KERNEL;
 
 	return 0;
-
-err_wrid:
-	kfree(qp->sq.wqe_head);
+free_sq_w_list:
 	kfree(qp->sq.w_list);
-	kfree(qp->sq.wrid);
-	kfree(qp->sq.wr_data);
+free_rq_wrid:
 	kfree(qp->rq.wrid);
+free_sq_wr_data:
+	kfree(qp->sq.wr_data);
+free_sq_wrid:
+	kfree(qp->sq.wrid);
+free_db:
 	mlx5_db_free(dev->mdev, &qp->db);
-
-err_free:
+	err = -ENOMEM;
+vfree_in:
 	kvfree(*in);
-
-err_buf:
+free_buffer:
 	mlx5_buf_free(dev->mdev, &qp->buf);
 	return err;
 }
-- 
2.11.1