aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@mellanox.co.il>2007-01-03 07:46:30 -0500
committerRoland Dreier <rolandd@cisco.com>2007-01-04 22:46:32 -0500
commit46707e96b7254663139225ab6c9ab9922cd8c435 (patch)
tree37c3863b79be45c0d47f57aa72709ea3b9db64e9 /drivers
parentd1398a6ff503a849f3c123bc5f0fdff383a1b6ec (diff)
IB/mthca: Fix off-by-one in FMR handling on memfree
mthca_table_find() will return the wrong address when the table entry being searched for is exactly at the beginning of a sglist entry (other than the first), because it uses >= when it should use >. Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K. The current code will return first entry + 4K when we really want the second entry. In particular this means mapping an FMR on a memfree HCA may end up writing the page table into the wrong place, leading to memory corruption and also causing the HCA to use an incorrect address translation table. Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/infiniband/hw/mthca/mthca_memfree.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mthca/mthca_memfree.c b/drivers/infiniband/hw/mthca/mthca_memfree.c
index 15cc2f6eb47..6b19645d946 100644
--- a/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ b/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_table *table, int obj)
232 232
233 list_for_each_entry(chunk, &icm->chunk_list, list) { 233 list_for_each_entry(chunk, &icm->chunk_list, list) {
234 for (i = 0; i < chunk->npages; ++i) { 234 for (i = 0; i < chunk->npages; ++i) {
235 if (chunk->mem[i].length >= offset) { 235 if (chunk->mem[i].length > offset) {
236 page = chunk->mem[i].page; 236 page = chunk->mem[i].page;
237 goto out; 237 goto out;
238 } 238 }