diff options
author | Ralph Campbell <ralphc@pathscale.com> | 2006-07-17 21:21:24 -0400 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2006-07-24 12:18:07 -0400 |
commit | 16c59419a09f0140a07a1828d6a45656265e07c7 (patch) | |
tree | 561234eaf2a32f143566f62ef660f1cac2b68ebf | |
parent | c9f79bdc21da9c8d466b6ba7c8bbd6b8e0110ce2 (diff) |
IB/ipath: ipath_skip_sge() can break if num_sge > 1
ipath_skip_sge() doesn't exactly duplicate the side effects of
ipath_copy_sge() if num_sge > 1 since it doesn't decrement ss->num_sge.
This could result in the sg_list being accessed out of bounds.
Since ipath_skip_sge() is almost always called with num_sge == 1,
the original "optimization" is almost never used.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r-- | drivers/infiniband/hw/ipath/ipath_verbs.c | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/drivers/infiniband/hw/ipath/ipath_verbs.c b/drivers/infiniband/hw/ipath/ipath_verbs.c index 70bce7a8d538..d70a9b6b5239 100644 --- a/drivers/infiniband/hw/ipath/ipath_verbs.c +++ b/drivers/infiniband/hw/ipath/ipath_verbs.c | |||
@@ -191,10 +191,6 @@ void ipath_skip_sge(struct ipath_sge_state *ss, u32 length) | |||
191 | { | 191 | { |
192 | struct ipath_sge *sge = &ss->sge; | 192 | struct ipath_sge *sge = &ss->sge; |
193 | 193 | ||
194 | while (length > sge->sge_length) { | ||
195 | length -= sge->sge_length; | ||
196 | ss->sge = *ss->sg_list++; | ||
197 | } | ||
198 | while (length) { | 194 | while (length) { |
199 | u32 len = sge->length; | 195 | u32 len = sge->length; |
200 | 196 | ||