diff options
author | Michael S. Tsirkin <mst@mellanox.co.il> | 2007-01-03 14:46:30 +0200 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2007-01-04 19:46:32 -0800 |
commit | 46707e96b7254663139225ab6c9ab9922cd8c435 (patch) | |
tree | 37c3863b79be45c0d47f57aa72709ea3b9db64e9 /drivers/infiniband | |
parent | d1398a6ff503a849f3c123bc5f0fdff383a1b6ec (diff) | |
download | kernel_samsung_tuna-46707e96b7254663139225ab6c9ab9922cd8c435.zip kernel_samsung_tuna-46707e96b7254663139225ab6c9ab9922cd8c435.tar.gz kernel_samsung_tuna-46707e96b7254663139225ab6c9ab9922cd8c435.tar.bz2 |
IB/mthca: Fix off-by-one in FMR handling on memfree
mthca_table_find() will return the wrong address when the table entry
being searched for is exactly at the beginning of a sglist entry
(other than the first), because it uses >= when it should use >.
Example: assume we have 2 entries in scatterlist, 4K each, offset is
4K. The current code will return first entry + 4K when we really want
the second entry.
In particular this means mapping an FMR on a memfree HCA may end up
writing the page table into the wrong place, leading to memory
corruption and also causing the HCA to use an incorrect address
translation table.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband')
-rw-r--r-- | drivers/infiniband/hw/mthca/mthca_memfree.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mthca/mthca_memfree.c b/drivers/infiniband/hw/mthca/mthca_memfree.c index 15cc2f6..6b19645 100644 --- a/drivers/infiniband/hw/mthca/mthca_memfree.c +++ b/drivers/infiniband/hw/mthca/mthca_memfree.c @@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_table *table, int obj) list_for_each_entry(chunk, &icm->chunk_list, list) { for (i = 0; i < chunk->npages; ++i) { - if (chunk->mem[i].length >= offset) { + if (chunk->mem[i].length > offset) { page = chunk->mem[i].page; goto out; } |