| Message ID | 20200519154525.GA66801@mwanda (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | bf1d8edb38bbf0628c1f2de7d13ab98533c1fe60 |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | RDMA/rtrs: Fix a couple off by one bugs in rtrs_srv_rdma_done() | expand |
On Tue, May 19, 2020 at 5:45 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > These > comparisons should be >= to prevent accessing one element > beyond the end of the buffer. > > Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c > index 658c8999cb0d..0b53b79b0e27 100644 > --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c > +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c > @@ -1213,8 +1213,8 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc) > > msg_id = imm_payload >> sess->mem_bits; > off = imm_payload & ((1 << sess->mem_bits) - 1); > - if (unlikely(msg_id > srv->queue_depth || > - off > max_chunk_size)) { > + if (unlikely(msg_id >= srv->queue_depth || > + off >= max_chunk_size)) { > rtrs_err(s, "Wrong msg_id %u, off %u\n", > msg_id, off); > close_sess(sess); > -- > 2.26.2 > Thanks a lot, Dan! Acked-by: Danil Kipnis <danil.kipnis@cloud.ionos.com>
On Tue, May 19, 2020 at 06:45:25PM +0300, Dan Carpenter wrote: > These > comparisons should be >= to prevent accessing one element > beyond the end of the buffer. > > Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Acked-by: Danil Kipnis <danil.kipnis@cloud.ionos.com> > --- > drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Applied to for-next, thanks Jason
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c index 658c8999cb0d..0b53b79b0e27 100644 --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c @@ -1213,8 +1213,8 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc) msg_id = imm_payload >> sess->mem_bits; off = imm_payload & ((1 << sess->mem_bits) - 1); - if (unlikely(msg_id > srv->queue_depth || - off > max_chunk_size)) { + if (unlikely(msg_id >= srv->queue_depth || + off >= max_chunk_size)) { rtrs_err(s, "Wrong msg_id %u, off %u\n", msg_id, off); close_sess(sess);
These > comparisons should be >= to prevent accessing one element beyond the end of the buffer. Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)