Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 30d149ab authored by Ralph Campbell's avatar Ralph Campbell Committed by Roland Dreier
Browse files

IB/ipath: Fix possible data corruption if multiple SGEs used for receive 



The code to copy data from the receive queue buffers to the IB SGEs
doesn't check the SGE length, only the memory region/page length when
copying data.  This could overwrite parts of the user's memory that
were not intended to be written.  It can only happen if multiple SGEs
are used to describe a receive buffer which almost never happens in
practice.

Signed-off-by: default avatarRalph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent db5518cd

drivers/infiniband/hw/ipath/ipath_ruc.c

+2 −0
Original line number Diff line number Diff line
@@ -396,6 +396,8 @@ again: 


		if (len > sge->length)

			len = sge->length;

		if (len > sge->sge_length)

			len = sge->sge_length;

		BUG_ON(len == 0);

		ipath_copy_sge(&qp->r_sge, sge->vaddr, len);

		sge->vaddr += len;

drivers/infiniband/hw/ipath/ipath_ud.c

+2 −0
Original line number Diff line number Diff line
@@ -231,6 +231,8 @@ static void ipath_ud_loopback(struct ipath_qp *sqp, 


		if (len > length)

			len = length;

		if (len > sge->sge_length)

			len = sge->sge_length;

		BUG_ON(len == 0);

		ipath_copy_sge(&rsge, sge->vaddr, len);

		sge->vaddr += len;

drivers/infiniband/hw/ipath/ipath_verbs.c

+6 −2
Original line number Diff line number Diff line
@@ -164,9 +164,11 @@ void ipath_copy_sge(struct ipath_sge_state *ss, void *data, u32 length) 
	while (length) {

		u32 len = sge->length;



		BUG_ON(len == 0);

		if (len > length)

			len = length;

		if (len > sge->sge_length)

			len = sge->sge_length;

		BUG_ON(len == 0);

		memcpy(sge->vaddr, data, len);

		sge->vaddr += len;

		sge->length -= len;
@@ -202,9 +204,11 @@ void ipath_skip_sge(struct ipath_sge_state *ss, u32 length) 
	while (length) {

		u32 len = sge->length;



		BUG_ON(len == 0);

		if (len > length)

			len = length;

		if (len > sge->sge_length)

			len = sge->sge_length;

		BUG_ON(len == 0);

		sge->vaddr += len;

		sge->length -= len;

		sge->sge_length -= len;