[patch 11/59] [stable] [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree
-stable review patch. If anyone has any objections, please let us know.
--
From: Michael S. Tsirkin <[EMAIL PROTECTED]>
mthca_table_find() will return the wrong address when the table entry
being searched for is exactly at the beginning of a sglist entry
(other than the first), because it uses >= when it should use >.
Example: assume we have 2 entries in scatterlist, 4K each, offset is
4K. The current code will return first entry + 4K when we really want
the second entry.
In particular this means mapping an FMR on a memfree HCA may end up
writing the page table into the wrong place, leading to memory
corruption and also causing the HCA to use an incorrect address
translation table.
Signed-off-by: Michael S. Tsirkin <[EMAIL PROTECTED]>
Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
This is upstream, and fixes a data corruption/crash bug with storage
over SRP.
drivers/infiniband/hw/mthca/mthca_memfree.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.2.orig/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ linux-2.6.19.2/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_
list_for_each_entry(chunk, >chunk_list, list) {
for (i = 0; i < chunk->npages; ++i) {
- if (chunk->mem[i].length >= offset) {
+ if (chunk->mem[i].length > offset) {
page = chunk->mem[i].page;
goto out;
}
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[patch 11/59] [stable] [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree
-stable review patch. If anyone has any objections, please let us know.
--
From: Michael S. Tsirkin [EMAIL PROTECTED]
mthca_table_find() will return the wrong address when the table entry
being searched for is exactly at the beginning of a sglist entry
(other than the first), because it uses = when it should use .
Example: assume we have 2 entries in scatterlist, 4K each, offset is
4K. The current code will return first entry + 4K when we really want
the second entry.
In particular this means mapping an FMR on a memfree HCA may end up
writing the page table into the wrong place, leading to memory
corruption and also causing the HCA to use an incorrect address
translation table.
Signed-off-by: Michael S. Tsirkin [EMAIL PROTECTED]
Signed-off-by: Roland Dreier [EMAIL PROTECTED]
Signed-off-by: Chris Wright [EMAIL PROTECTED]
---
This is upstream, and fixes a data corruption/crash bug with storage
over SRP.
drivers/infiniband/hw/mthca/mthca_memfree.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.2.orig/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ linux-2.6.19.2/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_
list_for_each_entry(chunk, icm-chunk_list, list) {
for (i = 0; i chunk-npages; ++i) {
- if (chunk-mem[i].length = offset) {
+ if (chunk-mem[i].length offset) {
page = chunk-mem[i].page;
goto out;
}
--
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
