| From c0dc72bad9cf21071f5e4005de46f7c8b67a138a Mon Sep 17 00:00:00 2001 |
| From: Sebastien Dugue <sebastien.dugue@bull.net> |
| Date: Thu, 20 May 2010 15:58:22 -0700 |
| Subject: mlx4_core: Fix possible chunk sg list overflow in mlx4_alloc_icm() |
| |
| From: Sebastien Dugue <sebastien.dugue@bull.net> |
| |
| commit c0dc72bad9cf21071f5e4005de46f7c8b67a138a upstream. |
| |
| If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN, |
| we must set chunk to NULL even for coherent mappings so that the next |
| time through the loop will allocate another chunk. Otherwise we'll |
| overflow the sg list the next time through the loop. This will lead to |
| memory corruption if this case is hit. |
| |
| mthca does not have this bug. |
| |
| Signed-off-by: Sebastien Dugue <sebastien.dugue@bull.net> |
| Signed-off-by: Roland Dreier <rolandd@cisco.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/net/mlx4/icm.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/net/mlx4/icm.c |
| +++ b/drivers/net/mlx4/icm.c |
| @@ -174,9 +174,10 @@ struct mlx4_icm *mlx4_alloc_icm(struct m |
| |
| if (chunk->nsg <= 0) |
| goto fail; |
| + } |
| |
| + if (chunk->npages == MLX4_ICM_CHUNK_LEN) |
| chunk = NULL; |
| - } |
| |
| npages -= 1 << cur_order; |
| } else { |
