diff options
| author | Leon Romanovsky <leonro@mellanox.com> | 2017-01-18 14:10:30 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2017-06-05 21:17:08 +0100 |
| commit | 633eb2ae856cc0faeb9b47b0d1671fcabe66fbfd (patch) | |
| tree | 9d5ac8e81d19cf494280a6fa92ea1a31c4eceebd /drivers | |
| parent | bdf0863011d5d23857b61d2d41372fee53e91b0e (diff) | |
| download | linux-stable-633eb2ae856cc0faeb9b47b0d1671fcabe66fbfd.tar.gz linux-stable-633eb2ae856cc0faeb9b47b0d1671fcabe66fbfd.tar.bz2 linux-stable-633eb2ae856cc0faeb9b47b0d1671fcabe66fbfd.zip | |
IB/mlx5: Fix out-of-bound access
commit 0fd27a88c2e4f548937fd7d93fc6e65c4ad7c278 upstream.
When we initialize buffer to create SRQ in kernel,
the number of pages was less than actually used in
following mlx5_fill_page_array().
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/infiniband/hw/mlx5/srq.c | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/drivers/infiniband/hw/mlx5/srq.c b/drivers/infiniband/hw/mlx5/srq.c index 384af6dec5eb..7c2fe5235ae2 100644 --- a/drivers/infiniband/hw/mlx5/srq.c +++ b/drivers/infiniband/hw/mlx5/srq.c @@ -156,8 +156,6 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, int err; int i; struct mlx5_wqe_srq_next_seg *next; - int page_shift; - int npages; err = mlx5_db_alloc(&dev->mdev, &srq->db); if (err) { @@ -172,7 +170,6 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, err = -ENOMEM; goto err_db; } - page_shift = srq->buf.page_shift; srq->head = 0; srq->tail = srq->msrq.max - 1; @@ -184,10 +181,8 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, cpu_to_be16((i + 1) & (srq->msrq.max - 1)); } - npages = DIV_ROUND_UP(srq->buf.npages, 1 << (page_shift - PAGE_SHIFT)); - mlx5_ib_dbg(dev, "buf_size %d, page_shift %d, npages %d, calc npages %d\n", - buf_size, page_shift, srq->buf.npages, npages); - *inlen = sizeof(**in) + sizeof(*(*in)->pas) * npages; + mlx5_ib_dbg(dev, "srq->buf.page_shift = %d\n", srq->buf.page_shift); + *inlen = sizeof(**in) + sizeof(*(*in)->pas) * srq->buf.npages; *in = mlx5_vzalloc(*inlen); if (!*in) { err = -ENOMEM; @@ -204,7 +199,7 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, } srq->wq_sig = !!srq_signature; - (*in)->ctx.log_pg_sz = page_shift - MLX5_ADAPTER_PAGE_SHIFT; + (*in)->ctx.log_pg_sz = srq->buf.page_shift - MLX5_ADAPTER_PAGE_SHIFT; return 0; |