[openib-general] [PATCH] mthca: mthca_map_cmd off by one (was Fwd: a bug ?)

[Michael S. Tsirkin]

----- Forwarded message from Leonid Keller <leonid at mellanox.co.il> -----

Subject: a bug ?
Date: Mon, 26 Sep 2005 17:17:05 +0300
From: "Leonid Keller" <leonid at mellanox.co.il>

look at the following code in mthca_map_cmd():
-----------------------------------------------------------------------
   pages[nent * 2 + 1] = cpu_to_be64((mthca_icm_addr(&iter) + (i << lg)) | (lg - 12));
   ...    
   if (nent == MTHCA_MAILBOX_SIZE / 16) {
    err = mthca_cmd(dev, mailbox->dma, nent, 0, op, CMD_TIME_CLASS_B, status);
    ...
    nent = 0;
   }
-----------------------------------------------------------------------------
On nent = 256 'pages[nent * 2 + 1]' overruns mailbox !
It is to be 
    
   if (nent == MTHCA_MAILBOX_SIZE / 16 - 1)
 
Right ?

----- End forwarded message -----

Looks like a bug.
The following patch is untested: I dont have memfree hardware at the
moment.
Roland, does this make sense to you?

---


Fix off by one bug in mthca_map_cmd.

Signed-off-by: Michael S. Tsirkin <mst at mellanox.co.il>

Index: linux-kernel/drivers/infiniband/hw/mthca/mthca_cmd.c
===================================================================
--- linux-kernel.orig/drivers/infiniband/hw/mthca/mthca_cmd.c	2005-08-29 10:22:10.000000000 +0300
+++ linux-kernel/drivers/infiniband/hw/mthca/mthca_cmd.c	2005-09-26 17:50:54.000000000 +0300
@@ -616,7 +616,7 @@ static int mthca_map_cmd(struct mthca_de
 			ts += 1 << (lg - 10);
 			++tc;
 
-			if (nent == MTHCA_MAILBOX_SIZE / 16) {
+			if (nent == MTHCA_MAILBOX_SIZE / 16 - 1) {
 				err = mthca_cmd(dev, mailbox->dma, nent, 0, op,
 						CMD_TIME_CLASS_B, status);
 				if (err || *status)
-- 
MST