diff mbox series

[rdma-next,5/5] RDMA/rdmavt: Use correct sizing on buffers holding page DMA addresses

Message ID 20190318132340.16892-6-shiraz.saleem@intel.com (mailing list archive)
State Superseded
Headers show
Series Use correct sizing on buffers holding page DMA addresses | expand

Commit Message

Shiraz Saleem March 18, 2019, 1:23 p.m. UTC 
The buffer that holds the page DMA addresses is sized off umem->nmap.
This can potentially cause out of bound accesses on the PBL array when
iterating the umem DMA-mapped SGL. This is because if umem pages are
combined, umem->nmap can be much lower than the number of system pages
in umem.

Use umem->npages to size this buffer.

Cc: Dennis Dalessandro <dennis.dalessandro@intel.com>
Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
Cc: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
---
 drivers/infiniband/sw/rdmavt/mr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/drivers/infiniband/sw/rdmavt/mr.c b/drivers/infiniband/sw/rdmavt/mr.c
index 7287950..7bc9d5d 100644
--- a/drivers/infiniband/sw/rdmavt/mr.c
+++ b/drivers/infiniband/sw/rdmavt/mr.c
@@ -392,7 +392,7 @@  struct ib_mr *rvt_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
 	if (IS_ERR(umem))
 		return (void *)umem;
 
-	n = umem->nmap;
+	n = umem->npages;
 
 	mr = __rvt_alloc_mr(n, pd);
 	if (IS_ERR(mr)) {