From 18ec396f9e56062a97207643a4c0c453f24e07b1 Mon Sep 17 00:00:00 2001
From: Chengchang Tang <tangchengchang@huawei.com>
Date: Fri, 8 Nov 2024 17:04:08 +0800
Subject: [PATCH] libhns: Fix reference to uninitialized cq pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

mainline inclusion
from mainline-master
commit 18e3117cdd161a3f40b8a917f24cfb5227a1d75a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/rdma-core/issues/IB3ZHQ
CVE: NA
Reference: https://github.com/linux-rdma/rdma-core/pull/1513/commits/18e3117cdd161a3f40b8a917f24cfb5227a1d75a

----------------------------------------------------------------------

For QPs which do not have an SQ, such as XRC TGT，the send_cq
pointer will not be initailized. Since the supported max_gs
will be 0 in this case, check it and return before referencing
the send_cq pointer.

Fixes: cbdf5e32a855 ("libhns: Reimplement verbs of post_send and post_recv for hip08 RoCE")
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: Xinghai Cen <cenxinghai@h-partners.com>
---
 providers/hns/hns_roce_u_hw_v2.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/providers/hns/hns_roce_u_hw_v2.c b/providers/hns/hns_roce_u_hw_v2.c
index 2debcb3..465ef1e 100644
--- a/providers/hns/hns_roce_u_hw_v2.c
+++ b/providers/hns/hns_roce_u_hw_v2.c
@@ -1579,7 +1579,7 @@ int hns_roce_u_v2_post_send(struct ibv_qp *ibvqp, struct ibv_send_wr *wr,
 	struct hns_roce_context *ctx = to_hr_ctx(ibvqp->context);
 	struct hns_roce_qp *qp = to_hr_qp(ibvqp);
 	struct hns_roce_sge_info sge_info = {};
-	struct hns_roce_rc_sq_wqe *wqe;
+	struct hns_roce_rc_sq_wqe *wqe = NULL;
 	struct ibv_qp_attr attr = {};
 	unsigned int wqe_idx, nreq;
 	int ret;
@@ -1595,15 +1595,15 @@ int hns_roce_u_v2_post_send(struct ibv_qp *ibvqp, struct ibv_send_wr *wr,
 	sge_info.start_idx = qp->next_sge; /* start index of extend sge */
 
 	for (nreq = 0; wr; ++nreq, wr = wr->next) {
-		if (hns_roce_v2_wq_overflow(&qp->sq, nreq,
-					    to_hr_cq(qp->verbs_qp.qp.send_cq))) {
-			ret = ENOMEM;
+		if (wr->num_sge > (int)qp->sq.max_gs) {
+			ret = qp->sq.max_gs > 0 ? EINVAL : EOPNOTSUPP;
 			*bad_wr = wr;
 			goto out;
 		}
 
-		if (wr->num_sge > qp->sq.max_gs) {
-			ret = EINVAL;
+		if (hns_roce_v2_wq_overflow(&qp->sq, nreq,
+					    to_hr_cq(qp->verbs_qp.qp.send_cq))) {
+			ret = ENOMEM;
 			*bad_wr = wr;
 			goto out;
 		}
-- 
2.25.1