Commit da343b6d authored Feb 25, 2018 by Sergey Gorenko Committed by Jason Gunthorpe Feb 28, 2018

IB/mlx5: Fix incorrect size of klms in the memory region



The value of mr->ndescs greater than mr->max_descs is set in the
function mlx5_ib_sg_to_klms() if sg_nents is greater than
mr->max_descs. This is an invalid value and it causes the
following error when registering mr:

mlx5_0:dump_cqe:276:(pid 193): dump error cqe
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 0f 00 78 06 25 00 00 8b 08 1e 8f d3

Cc: <stable@vger.kernel.org> # 4.5
Fixes: b005d316 ("mlx5: Add arbitrary sg list support")
Signed-off-by: Sergey Gorenko <sergeygo@mellanox.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

parent f4576587

drivers/infiniband/hw/mlx5/mr.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1816,7 +1816,6 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr,

		mr->ibmr.iova = sg_dma_address(sg) + sg_offset;
		mr->ibmr.length = 0;
		mr->ndescs = sg_nents;

		for_each_sg(sgl, sg, sg_nents, i) {
		if (unlikely(i >= mr->max_descs))
		@@ -1828,6 +1827,7 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr,

		sg_offset = 0;
		}
		mr->ndescs = i;

		if (sg_offset_p)
		*sg_offset_p = sg_offset;