RDMA/siw: Fix potential page_array out of range access

When seg is equal to MAX_ARRAY, the loop should break, otherwise it will result in out of range access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b9be6f18 ("rdma/siw: transmit path") Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> Link: https://lore.kernel.org/r/20230227091751.589612-1-d.dulov@aladdin.ruSigned-off-by: Leon Romanovsky <leon@kernel.org>

RDMA/siw: Fix potential page_array out of range access
When seg is equal to MAX_ARRAY, the loop should break, otherwise it will result in out of range access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b9be6f18 ("rdma/siw: transmit path") Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> Link: https://lore.kernel.org/r/20230227091751.589612-1-d.dulov@aladdin.ruSigned-off-by: Leon Romanovsky <leon@kernel.org>
271bfcfb · Daniil Dulov · Leon Romanovsky · c874ad87 · 271bfcfb
Commit 271bfcfb authored Feb 27, 2023 by Daniil Dulov Committed by Leon Romanovsky Mar 13, 2023
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/infiniband/sw/siw/siw_qp_tx.c drivers/infiniband/sw/siw/siw_qp_tx.c +1 -1

No files found.
--- a/drivers/infiniband/sw/siw/siw_qp_tx.c
+++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
@@ -558,7 +558,7 @@ static int siw_tx_hdt(struct siw_iwarp_tx *c_tx, struct socket *s)
 			data_len -= plen;
 			fp_off = 0;

-			if (++seg > (int)MAX_ARRAY) {
+			if (++seg >= (int)MAX_ARRAY) {
 				siw_dbg_qp(tx_qp(c_tx), "to many fragments\n");
 				siw_unmap_pages(iov, kmap_mask, seg-1);
 				wqe->processed -= c_tx->bytes_unsent;