IB/mlx5: Fix out-of-bound access (0fd27a88) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/infiniband/hw/mlx5/srq.c

+3 −8

Original line number	Diff line number	Diff line
		@@ -165,8 +165,6 @@ static int create_srq_kernel(struct mlx5_ib_dev dev, struct mlx5_ib_srq srq,
		int err;
		int i;
		struct mlx5_wqe_srq_next_seg *next;
		int page_shift;
		int npages;

		err = mlx5_db_alloc(dev->mdev, &srq->db);
		if (err) {
		@@ -179,7 +177,6 @@ static int create_srq_kernel(struct mlx5_ib_dev dev, struct mlx5_ib_srq srq,
		err = -ENOMEM;
		goto err_db;
		}
		page_shift = srq->buf.page_shift;

		srq->head = 0;
		srq->tail = srq->msrq.max - 1;
		@@ -191,10 +188,8 @@ static int create_srq_kernel(struct mlx5_ib_dev dev, struct mlx5_ib_srq srq,
		cpu_to_be16((i + 1) & (srq->msrq.max - 1));
		}

		npages = DIV_ROUND_UP(srq->buf.npages, 1 << (page_shift - PAGE_SHIFT));
		mlx5_ib_dbg(dev, "buf_size %d, page_shift %d, npages %d, calc npages %d\n",
		buf_size, page_shift, srq->buf.npages, npages);
		in->pas = mlx5_vzalloc(sizeof(in->pas) npages);
		mlx5_ib_dbg(dev, "srq->buf.page_shift = %d\n", srq->buf.page_shift);
		in->pas = mlx5_vzalloc(sizeof(in->pas) srq->buf.npages);
		if (!in->pas) {
		err = -ENOMEM;
		goto err_buf;
		@@ -208,7 +203,7 @@ static int create_srq_kernel(struct mlx5_ib_dev dev, struct mlx5_ib_srq srq,
		}
		srq->wq_sig = !!srq_signature;

		in->log_page_size = page_shift - MLX5_ADAPTER_PAGE_SHIFT;
		in->log_page_size = srq->buf.page_shift - MLX5_ADAPTER_PAGE_SHIFT;
		if (MLX5_CAP_GEN(dev->mdev, cqe_version) == MLX5_CQE_VERSION_V1 &&
		in->type == IB_SRQT_XRC)
		in->user_index = MLX5_IB_DEFAULT_UIDX;