diff options
authorMichael S. Tsirkin <>2007-03-11 07:37:12 +0100
committerAdrian Bunk <>2007-03-11 07:37:12 +0100
commit59d2b001518d200ba99d213e41c892f5fe750d07 (patch)
parent4b3c56f0239d50fff032d3ff53f7b7509d10b53b (diff)
IB/mthca: Fix off-by-one in FMR handling on memfree
From: Michael S. Tsirkin <> mthca_table_find() will return the wrong address when the table entry being searched for is exactly at the beginning of a sglist entry (other than the first), because it uses >= when it should use >. Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K. The current code will return first entry + 4K when we really want the second entry. In particular this means mapping an FMR on a memfree HCA may end up writing the page table into the wrong place, leading to memory corruption and also causing the HCA to use an incorrect address translation table. Signed-off-by: Michael S. Tsirkin <> Signed-off-by: Roland Dreier <> Signed-off-by: Adrian Bunk <>
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/mthca/mthca_memfree.c b/drivers/infiniband/hw/mthca/mthca_memfree.c
index d709cb162a72..f3a8db0bc6dc 100644
--- a/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ b/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -231,7 +231,7 @@ void *mthca_table_find(struct mthca_icm_table *table, int obj)
list_for_each_entry(chunk, &icm->chunk_list, list) {
for (i = 0; i < chunk->npages; ++i) {
- if (chunk->mem[i].length >= offset) {
+ if (chunk->mem[i].length > offset) {
page = chunk->mem[i].page;
goto out;