Commit:     46707e96b7254663139225ab6c9ab9922cd8c435
Parent:     d1398a6ff503a849f3c123bc5f0fdff383a1b6ec
Author:     Michael S. Tsirkin <[EMAIL PROTECTED]>
AuthorDate: Wed Jan 3 14:46:30 2007 +0200
Committer:  Roland Dreier <[EMAIL PROTECTED]>
CommitDate: Thu Jan 4 19:46:32 2007 -0800

    IB/mthca: Fix off-by-one in FMR handling on memfree
    mthca_table_find() will return the wrong address when the table entry
    being searched for is exactly at the beginning of a sglist entry
    (other than the first), because it uses >= when it should use >.
    Example: assume we have 2 entries in scatterlist, 4K each, offset is
    4K.  The current code will return first entry + 4K when we really want
    the second entry.
    In particular this means mapping an FMR on a memfree HCA may end up
    writing the page table into the wrong place, leading to memory
    corruption and also causing the HCA to use an incorrect address
    translation table.
    Signed-off-by: Michael S. Tsirkin <[EMAIL PROTECTED]>
    Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
 drivers/infiniband/hw/mthca/mthca_memfree.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/infiniband/hw/mthca/mthca_memfree.c 
index 15cc2f6..6b19645 100644
--- a/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ b/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -232,7 +232,7 @@ void *mthca_table_find(struct mthca_icm_table *table, int 
        list_for_each_entry(chunk, &icm->chunk_list, list) {
                for (i = 0; i < chunk->npages; ++i) {
-                       if (chunk->mem[i].length >= offset) {
+                       if (chunk->mem[i].length > offset) {
                                page = chunk->mem[i].page;
                                goto out;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to