Skip to content

Commit

Permalink
mlx4_core: Fix possible chunk sg list overflow in mlx4_alloc_icm()
Browse files Browse the repository at this point in the history 
If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN,
we must set chunk to NULL even for coherent mappings so that the next
time through the loop will allocate another chunk.  Otherwise we'll
overflow the sg list the next time through the loop.  This will lead to
memory corruption if this case is hit.

mthca does not have this bug.

Signed-off-by: Sebastien Dugue <sebastien.dugue@bull.net>
Cc: <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
  • Loading branch information
Sebastien Dugue authored and Roland Dreier committed May 20, 2010
1 parent a0fe3cc commit c0dc72b
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion drivers/net/mlx4/icm.c
View file
Original file line number Diff line number Diff line change
@@ -175,9 +175,10 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages,

if (chunk->nsg <= 0)
goto fail;
}

if (chunk->npages == MLX4_ICM_CHUNK_LEN)
chunk = NULL;
}

npages -= 1 << cur_order;
} else {

0 comments on commit c0dc72b

Please sign in to comment.