Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
RDMA/nes: Fix off-by-one in nes_reg_user_mr() error path
nes_reg_user_mr() should fail if page_count becomes >= 1024 * 512
rather than just testing for strict >, because page_count is
essentially used as an index into an array with 1024 * 512 entries, so
allowing the loop to continue with page_count == 1024 * 512 means that
memory after the end of the array is corrupted. This leads to a crash
triggerable by a userspace application that requests registration of a
too-big region.
Also get rid of the call to pci_free_consistent() here to avoid
corrupting state with a double free, since the same memory will be
freed in the code jumped to at reg_user_mr_err.
Signed-off-by: Roland Dreier <rolandd@cisco.com>
+1
-3
drivers/infiniband/hw/nes/nes_verbs.c
+1
-3
drivers/infiniband/hw/nes/nes_verbs.c
···
2456
2456
if ((page_count!=0)&&(page_count<<12)-(region->offset&(4096-1))>=region->length)
2457
2457
goto enough_pages;
2458
2458
if ((page_count&0x01FF) == 0) {
2459
-
if (page_count>(1024*512)) {
2459
+
if (page_count >= 1024 * 512) {
2460
2460
ib_umem_release(region);
2461
-
pci_free_consistent(nesdev->pcidev, 4096, vpbl.pbl_vbase,
2462
-
vpbl.pbl_pbase);
2463
2461
nes_free_resource(nesadapter,
2464
2462
nesadapter->allocated_mrs, stag_index);
2465
2463
kfree(nesmr);