If a page can't be allocated for the frag list of a skb,
the code to unmap the partially allocated list is off by one.
Say 'frags' equals one, i == 0, and the alloc_page() fails,
then the old loop would have unmapped mapping[1] which is
uninitialized. The same would happen if the ib_dma_map_page()
failed.
Signed-off-by: Ralph Campbell <[EMAIL PROTECTED]>
diff -r f4233821c831 drivers/infiniband/ulp/ipoib/ipoib_cm.c
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c Thu Jun 28 13:16:47 2007 -0700
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c Fri Jun 29 11:10:22 2007 -0700
@@ -155,8 +155,8 @@ partial_error:
ib_dma_unmap_single(priv->ca, mapping[0], IPOIB_CM_HEAD_SIZE,
DMA_FROM_DEVICE);
- for (; i >= 0; --i)
- ib_dma_unmap_single(priv->ca, mapping[i + 1], PAGE_SIZE,
DMA_FROM_DEVICE);
+ for (; i > 0; --i)
+ ib_dma_unmap_single(priv->ca, mapping[i], PAGE_SIZE,
DMA_FROM_DEVICE);
dev_kfree_skb_any(skb);
return NULL;
_______________________________________________
general mailing list
[email protected]
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
