[openib-general] Fwd: bug in mthca_qp.c (GEN 2)
Roland Dreier
rdreier at cisco.com
Mon Feb 5 14:00:51 PST 2007
> Roland, what do you think?
> Looks pretty severe actually.
> static void to_ib_ah_attr(struct mthca_dev *dev, struct ib_ah_attr *ib_ah_attr,
> struct mthca_qp_path *path)
> {
> memset(ib_ah_attr, 0, sizeof *path);
It's definitely a bug but I don't think it's very severe -- the only
calls to to_ib_ah_attr are in mthca_query_qp, where the function is
used to fill in fields embedded in a struct ib_qp_attr, and even
though the memset overruns the ib_ah_attr slightly, it only zeros out
fields that are set later in the function anyway. So with current
code at least the bug is harmless.
anyway, I queued the patch below for 2.6.21:
IB/mthca: Use correct structure size in call to memset()
When clearing the ib_ah_attr parameter in to_ib_ah_attr(), use sizeof
*ib_ah_attr instead of sizeof *path.
Pointed out by Jack Morgenstein <jackm at mellanox.co.il>.
Signed-off-by: Roland Dreier <rolandd at cisco.com>
---
drivers/infiniband/hw/mthca/mthca_qp.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/infiniband/hw/mthca/mthca_qp.c b/drivers/infiniband/hw/mthca/mthca_qp.c
index 5f5214c..224c93d 100644
--- a/drivers/infiniband/hw/mthca/mthca_qp.c
+++ b/drivers/infiniband/hw/mthca/mthca_qp.c
@@ -399,7 +399,7 @@ static int to_ib_qp_access_flags(int mthca_flags)
static void to_ib_ah_attr(struct mthca_dev *dev, struct ib_ah_attr *ib_ah_attr,
struct mthca_qp_path *path)
{
- memset(ib_ah_attr, 0, sizeof *path);
+ memset(ib_ah_attr, 0, sizeof *ib_ah_attr);
ib_ah_attr->port_num = (be32_to_cpu(path->port_pkey) >> 24) & 0x3;
if (ib_ah_attr->port_num == 0 || ib_ah_attr->port_num > dev->limits.num_ports)
--
1.4.4.1
More information about the general
mailing list