RDMA/nes: Fix off-by-one in nes_reg_user_mr() error path
nes_reg_user_mr() should fail if page_count becomes >= 1024 * 512 rather than just testing for strict >, because page_count is essentially used as an index into an array with 1024 * 512 entries, so allowing the loop to continue with page_count == 1024 * 512 means that memory after the end of the array is corrupted. This leads to a crash triggerable by a userspace application that requests registration of a too-big region. Also get rid of the call to pci_free_consistent() here to avoid corrupting state with a double free, since the same memory will be freed in the code jumped to at reg_user_mr_err. Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
parent
5e70b7f3c2
commit
24797a3442
|
@ -2456,10 +2456,8 @@ static struct ib_mr *nes_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
|
||||||
if ((page_count!=0)&&(page_count<<12)-(region->offset&(4096-1))>=region->length)
|
if ((page_count!=0)&&(page_count<<12)-(region->offset&(4096-1))>=region->length)
|
||||||
goto enough_pages;
|
goto enough_pages;
|
||||||
if ((page_count&0x01FF) == 0) {
|
if ((page_count&0x01FF) == 0) {
|
||||||
if (page_count>(1024*512)) {
|
if (page_count >= 1024 * 512) {
|
||||||
ib_umem_release(region);
|
ib_umem_release(region);
|
||||||
pci_free_consistent(nesdev->pcidev, 4096, vpbl.pbl_vbase,
|
|
||||||
vpbl.pbl_pbase);
|
|
||||||
nes_free_resource(nesadapter,
|
nes_free_resource(nesadapter,
|
||||||
nesadapter->allocated_mrs, stag_index);
|
nesadapter->allocated_mrs, stag_index);
|
||||||
kfree(nesmr);
|
kfree(nesmr);
|
||||||
|
|
Loading…
Reference in New Issue