• Michael S. Tsirkin's avatar
    IB/mthca: Fix off-by-one in FMR handling on memfree · 46707e96
    Michael S. Tsirkin authored
    mthca_table_find() will return the wrong address when the table entry
    being searched for is exactly at the beginning of a sglist entry
    (other than the first), because it uses >= when it should use >.
    
    Example: assume we have 2 entries in scatterlist, 4K each, offset is
    4K.  The current code will return first entry + 4K when we really want
    the second entry.
    
    In particular this means mapping an FMR on a memfree HCA may end up
    writing the page table into the wrong place, leading to memory
    corruption and also causing the HCA to use an incorrect address
    translation table.
    Signed-off-by: default avatarMichael S. Tsirkin <mst@mellanox.co.il>
    Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
    46707e96
mthca_memfree.c 15.7 KB