aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorRalph Campbell <ralphc@pathscale.com>2006-07-17 21:21:24 -0400
committerRoland Dreier <rolandd@cisco.com>2006-07-24 12:18:07 -0400
commit16c59419a09f0140a07a1828d6a45656265e07c7 (patch)
tree561234eaf2a32f143566f62ef660f1cac2b68ebf /drivers
parentc9f79bdc21da9c8d466b6ba7c8bbd6b8e0110ce2 (diff)
IB/ipath: ipath_skip_sge() can break if num_sge > 1
ipath_skip_sge() doesn't exactly duplicate the side effects of ipath_copy_sge() if num_sge > 1 since it doesn't decrement ss->num_sge. This could result in the sg_list being accessed out of bounds. Since ipath_skip_sge() is almost always called with num_sge == 1, the original "optimization" is almost never used. Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/infiniband/hw/ipath/ipath_verbs.c4
1 files changed, 0 insertions, 4 deletions
diff --git a/drivers/infiniband/hw/ipath/ipath_verbs.c b/drivers/infiniband/hw/ipath/ipath_verbs.c
index 70bce7a8d538..d70a9b6b5239 100644
--- a/drivers/infiniband/hw/ipath/ipath_verbs.c
+++ b/drivers/infiniband/hw/ipath/ipath_verbs.c
@@ -191,10 +191,6 @@ void ipath_skip_sge(struct ipath_sge_state *ss, u32 length)
191{ 191{
192 struct ipath_sge *sge = &ss->sge; 192 struct ipath_sge *sge = &ss->sge;
193 193
194 while (length > sge->sge_length) {
195 length -= sge->sge_length;
196 ss->sge = *ss->sg_list++;
197 }
198 while (length) { 194 while (length) {
199 u32 len = sge->length; 195 u32 len = sge->length;
200 196