From: Bart Van Assche <bvanassche@xxxxxxx>
This patch fixes a potential out-of-bounds array access in
srpt_map_sg_to_ib_sge(). This is bugfix port from SCST svn r3262
as recommended by Bart Van Assche for the initial ib_srpt merge.
Cc: Bart Van Assche <bvanassche@xxxxxxx>
Cc: Roland Dreier <roland@xxxxxxxxxxxxxxx>
Signed-off-by: Nicholas A. Bellinger <nab@xxxxxxxxxxxxxxx>
---
drivers/infiniband/ulp/srpt/ib_srpt.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
index e412a35..383994d 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1142,7 +1142,8 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
if (ioctx->rdma_ius && ioctx->n_rdma_ius)
nrdma = ioctx->n_rdma_ius;
else {
- nrdma = count / SRPT_DEF_SG_PER_WQE + ioctx->n_rbuf;
+ nrdma = (count + SRPT_DEF_SG_PER_WQE - 1) / SRPT_DEF_SG_PER_WQE
+ + ioctx->n_rbuf;
ioctx->rdma_ius = kzalloc(nrdma * sizeof *riu, GFP_KERNEL);
if (!ioctx->rdma_ius)
@@ -1258,11 +1259,11 @@ static int srpt_map_sg_to_ib_sge(struct srpt_rdma_ch *ch,
}
++k;
- if (k == riu->sge_cnt && rsize > 0) {
+ if (k == riu->sge_cnt && rsize > 0 && tsize > 0) {
++riu;
sge = riu->sge;
k = 0;
- } else if (rsize > 0)
+ } else if (rsize > 0 && tsize > 0)
++sge;
}
}
--
1.7.2.5
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
