IPoIB/cm: Partial error clean up unmaps wrong address

If a page can't be allocated for the frag list of a skb, the code to unmap the partially allocated list is off by one. For exaple, if 'frags' equals one, i == 0, and the alloc_page() fails, then the old loop would have unmapped mapping[1] which is uninitialized. The same would happen if the call to ib_dma_map_page() failed. Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com> Acked-by: Michael S. Tsirkin <mst@dev.mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>

IPoIB/cm: Partial error clean up unmaps wrong address
If a page can't be allocated for the frag list of a skb, the code to unmap the partially allocated list is off by one. For exaple, if 'frags' equals one, i == 0, and the alloc_page() fails, then the old loop would have unmapped mapping[1] which is uninitialized. The same would happen if the call to ib_dma_map_page() failed. Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com> Acked-by: Michael S. Tsirkin <mst@dev.mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
841adfca · Ralph Campbell · Roland Dreier · 786f238e · 841adfca
Commit 841adfca authored Jun 29, 2007 by Ralph Campbell Committed by Roland Dreier Jul 02, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

drivers/infiniband/ulp/ipoib/ipoib_cm.c drivers/infiniband/ulp/ipoib/ipoib_cm.c +2 -2

No files found.
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -148,8 +148,8 @@ static struct sk_buff *ipoib_cm_alloc_rx_skb(struct net_device *dev, int id, int

 	ib_dma_unmap_single(priv->ca, mapping[0], IPOIB_CM_HEAD_SIZE, DMA_FROM_DEVICE);

-	for (; i >= 0; --i)
-		ib_dma_unmap_single(priv->ca, mapping[i + 1], PAGE_SIZE, DMA_FROM_DEVICE);
+	for (; i > 0; --i)
+		ib_dma_unmap_single(priv->ca, mapping[i], PAGE_SIZE, DMA_FROM_DEVICE);

 	dev_kfree_skb_any(skb);
 	return NULL;