Skip to content

Commit

Permalink
IB/ipath: ipath_skip_sge() can break if num_sge > 1
Browse files Browse the repository at this point in the history 
ipath_skip_sge() doesn't exactly duplicate the side effects of
ipath_copy_sge() if num_sge > 1 since it doesn't decrement ss->num_sge.
This could result in the sg_list being accessed out of bounds.
Since ipath_skip_sge() is almost always called with num_sge == 1,
the original "optimization" is almost never used.

Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
  • Loading branch information
Ralph Campbell authored and Roland Dreier committed Jul 24, 2006
1 parent c9f79bd commit 16c5941
Showing 1 changed file with 0 additions and 4 deletions.
4 changes: 0 additions & 4 deletions drivers/infiniband/hw/ipath/ipath_verbs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,10 +191,6 @@ void ipath_skip_sge(struct ipath_sge_state *ss, u32 length)
{
struct ipath_sge *sge = &ss->sge;

while (length > sge->sge_length) {
length -= sge->sge_length;
ss->sge = *ss->sg_list++;
}
while (length) {
u32 len = sge->length;

Expand Down

0 comments on commit 16c5941

Please sign in to comment.