IB/mthca: Fix mthca_array_clear() thinko

mthca_array_clear() does not clear the slot if the used count is
positive. This leads to crashes in mthca_qp_event() since that uses
mthca_array_get() to check that the qp is valid.

Discovered by Ali Ayoub.

Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/hw/mthca/mthca_allocator.c b/drivers/infiniband/hw/mthca/mthca_allocator.c
index 9ba3211cef7cb2a7747348420d5dbad3ff0ee18d..848e583273d4922af73e3ad7e8ffeae928b746ab 100644 (file)
--- a/drivers/infiniband/hw/mthca/mthca_allocator.c
+++ b/drivers/infiniband/hw/mthca/mthca_allocator.c
@@ -144,7 +144,9 @@ void mthca_array_clear(struct mthca_array *array, int index)
        if (--array->page_list[p].used == 0) {
                free_page((unsigned long) array->page_list[p].page);
                array->page_list[p].page = NULL;
-       }
+       } else
+               array->page_list[p].page[index & (PAGE_SIZE /
+                                                 sizeof (void *) - 1)] = NULL;
 
        if (array->page_list[p].used < 0)
                pr_debug("Array %p index %d page %d with ref count %d < 0\n",