diff options
| author | Leon Romanovsky <leonro@mellanox.com> | 2017-01-18 07:10:30 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-03-14 22:02:43 -0400 |
| commit | 04f16db056d035785f217f1b958fe49ca3cd9be5 (patch) | |
| tree | 6ab60b03f1ab07141d3e3e765960b01f79667984 | |
| parent | 2e539fa49efda450229e3a13db5202b4d9ae2997 (diff) | |
IB/mlx5: Fix out-of-bound access
commit 0fd27a88c2e4f548937fd7d93fc6e65c4ad7c278 upstream.
When we initialize buffer to create SRQ in kernel,
the number of pages was less than actually used in
following mlx5_fill_page_array().
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/infiniband/hw/mlx5/srq.c | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/drivers/infiniband/hw/mlx5/srq.c b/drivers/infiniband/hw/mlx5/srq.c index 729b0696626e..d61fd2c727c0 100644 --- a/drivers/infiniband/hw/mlx5/srq.c +++ b/drivers/infiniband/hw/mlx5/srq.c | |||
| @@ -165,8 +165,6 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, | |||
| 165 | int err; | 165 | int err; |
| 166 | int i; | 166 | int i; |
| 167 | struct mlx5_wqe_srq_next_seg *next; | 167 | struct mlx5_wqe_srq_next_seg *next; |
| 168 | int page_shift; | ||
| 169 | int npages; | ||
| 170 | 168 | ||
| 171 | err = mlx5_db_alloc(dev->mdev, &srq->db); | 169 | err = mlx5_db_alloc(dev->mdev, &srq->db); |
| 172 | if (err) { | 170 | if (err) { |
| @@ -179,7 +177,6 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, | |||
| 179 | err = -ENOMEM; | 177 | err = -ENOMEM; |
| 180 | goto err_db; | 178 | goto err_db; |
| 181 | } | 179 | } |
| 182 | page_shift = srq->buf.page_shift; | ||
| 183 | 180 | ||
| 184 | srq->head = 0; | 181 | srq->head = 0; |
| 185 | srq->tail = srq->msrq.max - 1; | 182 | srq->tail = srq->msrq.max - 1; |
| @@ -191,10 +188,8 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, | |||
| 191 | cpu_to_be16((i + 1) & (srq->msrq.max - 1)); | 188 | cpu_to_be16((i + 1) & (srq->msrq.max - 1)); |
| 192 | } | 189 | } |
| 193 | 190 | ||
| 194 | npages = DIV_ROUND_UP(srq->buf.npages, 1 << (page_shift - PAGE_SHIFT)); | 191 | mlx5_ib_dbg(dev, "srq->buf.page_shift = %d\n", srq->buf.page_shift); |
| 195 | mlx5_ib_dbg(dev, "buf_size %d, page_shift %d, npages %d, calc npages %d\n", | 192 | in->pas = mlx5_vzalloc(sizeof(*in->pas) * srq->buf.npages); |
| 196 | buf_size, page_shift, srq->buf.npages, npages); | ||
| 197 | in->pas = mlx5_vzalloc(sizeof(*in->pas) * npages); | ||
| 198 | if (!in->pas) { | 193 | if (!in->pas) { |
| 199 | err = -ENOMEM; | 194 | err = -ENOMEM; |
| 200 | goto err_buf; | 195 | goto err_buf; |
| @@ -210,7 +205,7 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, struct mlx5_ib_srq *srq, | |||
| 210 | } | 205 | } |
| 211 | srq->wq_sig = !!srq_signature; | 206 | srq->wq_sig = !!srq_signature; |
| 212 | 207 | ||
| 213 | in->log_page_size = page_shift - MLX5_ADAPTER_PAGE_SHIFT; | 208 | in->log_page_size = srq->buf.page_shift - MLX5_ADAPTER_PAGE_SHIFT; |
| 214 | if (MLX5_CAP_GEN(dev->mdev, cqe_version) == MLX5_CQE_VERSION_V1 && | 209 | if (MLX5_CAP_GEN(dev->mdev, cqe_version) == MLX5_CQE_VERSION_V1 && |
| 215 | in->type == IB_SRQT_XRC) | 210 | in->type == IB_SRQT_XRC) |
| 216 | in->user_index = MLX5_IB_DEFAULT_UIDX; | 211 | in->user_index = MLX5_IB_DEFAULT_UIDX; |