Commit 3ae15e16 authored Apr 30, 2008 by Roland Dreier

IB/mlx4: Fix off-by-one errors in calls to mlx4_ib_free_cq_buf()



When I merged bbf8eed1 ("IB/mlx4: Add support for resizing CQs") I
changed things around so that mlx4_ib_alloc_cq_buf() and
mlx4_ib_free_cq_buf() were used everywhere they could be.  However, I
screwed up the number of entries passed into mlx4_ib_alloc_cq_buf()
in a couple places -- the function bumps the number of entries
internally, so the caller shouldn't add 1 as well.

Passing a too-big value for the number of entries to mlx4_ib_free_cq_buf()
can cause the cleanup to go off the end of an array and corrupt
allocator state in interesting ways.

Signed-off-by: Roland Dreier <rolandd@cisco.com>

parent c65a3500

drivers/infiniband/hw/mlx4/cq.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -246,7 +246,7 @@ struct ib_cq mlx4_ib_create_cq(struct ib_device ibdev, int entries, int vector
		if (context)
		ib_umem_release(cq->umem);
		else
		mlx4_ib_free_cq_buf(dev, &cq->buf, entries);
		mlx4_ib_free_cq_buf(dev, &cq->buf, cq->ibcq.cqe);

		err_db:
		if (!context)
		@@ -434,7 +434,7 @@ int mlx4_ib_destroy_cq(struct ib_cq *cq)
		mlx4_ib_db_unmap_user(to_mucontext(cq->uobject->context), &mcq->db);
		ib_umem_release(mcq->umem);
		} else {
		mlx4_ib_free_cq_buf(dev, &mcq->buf, cq->cqe + 1);
		mlx4_ib_free_cq_buf(dev, &mcq->buf, cq->cqe);
		mlx4_db_free(dev->dev, &mcq->db);
		}