Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c3ce90d authored by Eli Cohen's avatar Eli Cohen Committed by Roland Dreier
Browse files

IB/mlx5: Fix possible array overflow 



The check to verify that userspace does not provide an invalid index to the
micro UAR was placed too late. Fix this by moving the check before using the
index.

Reported by: Shachar Raindel <raindel@mellanox.com>
Signed-off-by: default avatarEli Cohen <eli@mellanox.com>
Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
parent 377b5134

drivers/infiniband/hw/mlx5/main.c

+3 −3
Original line number Diff line number Diff line
@@ -650,13 +650,13 @@ static int mlx5_ib_mmap(struct ib_ucontext *ibcontext, struct vm_area_struct *vm 
			return -EINVAL;



		idx = get_index(vma->vm_pgoff);

		if (idx >= uuari->num_uars)

			return -EINVAL;



		pfn = uar_index2pfn(dev, uuari->uars[idx].index);

		mlx5_ib_dbg(dev, "uar idx 0x%lx, pfn 0x%llx\n", idx,

			    (unsigned long long)pfn);



		if (idx >= uuari->num_uars)

			return -EINVAL;



		vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);

		if (io_remap_pfn_range(vma, vma->vm_start, pfn,

				       PAGE_SIZE, vma->vm_page_prot))