----- Forwarded message from Leonid Keller <[EMAIL PROTECTED]> -----
Subject: a bug ?
Date: Mon, 26 Sep 2005 17:17:05 +0300
From: "Leonid Keller" <[EMAIL PROTECTED]>
look at the following code in mthca_map_cmd():
-----------------------------------------------------------------------
pages[nent * 2 + 1] = cpu_to_be64((mthca_icm_addr(&iter) + (i << lg)) | (lg
- 12));
...
if (nent == MTHCA_MAILBOX_SIZE / 16) {
err = mthca_cmd(dev, mailbox->dma, nent, 0, op, CMD_TIME_CLASS_B, status);
...
nent = 0;
}
-----------------------------------------------------------------------------
On nent = 256 'pages[nent * 2 + 1]' overruns mailbox !
It is to be
if (nent == MTHCA_MAILBOX_SIZE / 16 - 1)
Right ?
----- End forwarded message -----
Looks like a bug.
The following patch is untested: I dont have memfree hardware at the
moment.
Roland, does this make sense to you?
---
Fix off by one bug in mthca_map_cmd.
Signed-off-by: Michael S. Tsirkin <[EMAIL PROTECTED]>
Index: linux-kernel/drivers/infiniband/hw/mthca/mthca_cmd.c
===================================================================
--- linux-kernel.orig/drivers/infiniband/hw/mthca/mthca_cmd.c 2005-08-29
10:22:10.000000000 +0300
+++ linux-kernel/drivers/infiniband/hw/mthca/mthca_cmd.c 2005-09-26
17:50:54.000000000 +0300
@@ -616,7 +616,7 @@ static int mthca_map_cmd(struct mthca_de
ts += 1 << (lg - 10);
++tc;
- if (nent == MTHCA_MAILBOX_SIZE / 16) {
+ if (nent == MTHCA_MAILBOX_SIZE / 16 - 1) {
err = mthca_cmd(dev, mailbox->dma, nent, 0, op,
CMD_TIME_CLASS_B, status);
if (err || *status)
--
MST
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
