In patch "IB/core: clarify overflow/underflow checks on ib_create/destroy_flow", the meaning of the size field was modified to only represent the size of the flow_spec appended to the flow_attr structure.
The size of the flow_attr structure must be added when allocating memory for the whole flow_attr + flow_specs buffer. Signed-off-by: Yann Droneaud <[email protected]> Link: http://marc.info/[email protected] Link: http://mid.gmane.org/[email protected] --- drivers/infiniband/core/uverbs_cmd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 63c2700..3b732f6 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2677,7 +2677,8 @@ ssize_t ib_uverbs_create_flow(struct ib_uverbs_file *file, return -EINVAL; if (cmd.flow_attr.num_of_specs) { - kern_flow_attr = kmalloc(cmd.flow_attr.size, GFP_KERNEL); + kern_flow_attr = kmalloc(sizeof(*kern_flow_attr) + cmd.flow_attr.size, + GFP_KERNEL); if (!kern_flow_attr) return -ENOMEM; @@ -2705,7 +2706,7 @@ ssize_t ib_uverbs_create_flow(struct ib_uverbs_file *file, goto err_uobj; } - flow_attr = kmalloc(cmd.flow_attr.size, GFP_KERNEL); + flow_attr = kmalloc(sizeof(*flow_attr) + cmd.flow_attr.size, GFP_KERNEL); if (!flow_attr) { err = -ENOMEM; goto err_put; -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
