RE: [PATCH] RDMA/siw: Fix potential page_array out of range access
From: Bernard Metzler
Date: Tue Feb 28 2023 - 05:05:59 EST
> -----Original Message-----
> From: Daniil Dulov <d.dulov@xxxxxxxxxx>
> Sent: Monday, 27 February 2023 10:18
> To: Bernard Metzler <BMT@xxxxxxxxxxxxxx>
> Cc: Daniil Dulov <d.dulov@xxxxxxxxxx>; Doug Ledford <dledford@xxxxxxxxxx>;
> Jason Gunthorpe <jgg@xxxxxxxx>; linux-rdma@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; lvc-project@xxxxxxxxxxxxxxxx
> Subject: [EXTERNAL] [PATCH] RDMA/siw: Fix potential page_array out of range
> access
>
> When seg is equal to MAX_ARRAY, the loop should break, otherwise
> it will result in out of range access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
> Signed-off-by: Daniil Dulov <d.dulov@xxxxxxxxxx>
> ---
> drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c
> b/drivers/infiniband/sw/siw/siw_qp_tx.c
> index 3c3ae5ef2942..f9eb314c6e14 100644
> --- a/drivers/infiniband/sw/siw/siw_qp_tx.c
> +++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
> @@ -548,7 +548,7 @@ static int siw_tx_hdt(struct siw_iwarp_tx *c_tx, struct
> socket *s)
> data_len -= plen;
> fp_off = 0;
>
> - if (++seg > (int)MAX_ARRAY) {
> + if (++seg == (int)MAX_ARRAY) {
Absolutely! For superstitious people like me,
maybe even write '>=' here. Thank you!
> siw_dbg_qp(tx_qp(c_tx), "to many fragments\n");
> siw_unmap_pages(page_array, kmap_mask);
> wqe->processed -= c_tx->bytes_unsent;
> --
> 2.25.1