RDMA/nes: Fix off-by-one in nes_reg_user_mr() error path
authorRoland Dreier <rolandd@cisco.com>
Tue, 10 Jun 2008 19:29:49 +0000 (12:29 -0700)
committerRoland Dreier <rolandd@cisco.com>
Tue, 10 Jun 2008 19:29:49 +0000 (12:29 -0700)
nes_reg_user_mr() should fail if page_count becomes >= 1024 * 512
rather than just testing for strict >, because page_count is
essentially used as an index into an array with 1024 * 512 entries, so
allowing the loop to continue with page_count == 1024 * 512 means that
memory after the end of the array is corrupted.  This leads to a crash
triggerable by a userspace application that requests registration of a
too-big region.

Also get rid of the call to pci_free_consistent() here to avoid
corrupting state with a double free, since the same memory will be
freed in the code jumped to at reg_user_mr_err.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
drivers/infiniband/hw/nes/nes_verbs.c

index 99b3c4ae86eb0e1c71e0d03c4ebdde85b098155a..d617da9bd35125fe510dd4b7aa9a7332f4066bce 100644 (file)
@@ -2456,10 +2456,8 @@ static struct ib_mr *nes_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
                                                if ((page_count!=0)&&(page_count<<12)-(region->offset&(4096-1))>=region->length)
                                                        goto enough_pages;
                                                if ((page_count&0x01FF) == 0) {
-                                                       if (page_count>(1024*512)) {
+                                                       if (page_count >= 1024 * 512) {
                                                                ib_umem_release(region);
-                                                               pci_free_consistent(nesdev->pcidev, 4096, vpbl.pbl_vbase,
-                                                                               vpbl.pbl_pbase);
                                                                nes_free_resource(nesadapter,
                                                                                nesadapter->allocated_mrs, stag_index);
                                                                kfree(nesmr);