[openib-general] Fwd: bug in mthca_qp.c (GEN 2)

Roland Dreier rdreier at cisco.com
Mon Feb 5 14:00:51 PST 2007


 > Roland, what do you think?
 > Looks pretty severe actually.

 > static void to_ib_ah_attr(struct mthca_dev *dev, struct ib_ah_attr *ib_ah_attr,
 >     struct mthca_qp_path *path)
 > {
 >  memset(ib_ah_attr, 0, sizeof *path);

It's definitely a bug but I don't think it's very severe -- the only
calls to to_ib_ah_attr are in mthca_query_qp, where the function is
used to fill in fields embedded in a struct ib_qp_attr, and even
though the memset overruns the ib_ah_attr slightly, it only zeros out
fields that are set later in the function anyway.  So with current
code at least the bug is harmless.


anyway, I queued the patch below for 2.6.21:

IB/mthca: Use correct structure size in call to memset()

When clearing the ib_ah_attr parameter in to_ib_ah_attr(), use sizeof
*ib_ah_attr instead of sizeof *path.

Pointed out by Jack Morgenstein <jackm at mellanox.co.il>.

Signed-off-by: Roland Dreier <rolandd at cisco.com>
---
 drivers/infiniband/hw/mthca/mthca_qp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/infiniband/hw/mthca/mthca_qp.c b/drivers/infiniband/hw/mthca/mthca_qp.c
index 5f5214c..224c93d 100644
--- a/drivers/infiniband/hw/mthca/mthca_qp.c
+++ b/drivers/infiniband/hw/mthca/mthca_qp.c
@@ -399,7 +399,7 @@ static int to_ib_qp_access_flags(int mthca_flags)
 static void to_ib_ah_attr(struct mthca_dev *dev, struct ib_ah_attr *ib_ah_attr,
 				struct mthca_qp_path *path)
 {
-	memset(ib_ah_attr, 0, sizeof *path);
+	memset(ib_ah_attr, 0, sizeof *ib_ah_attr);
 	ib_ah_attr->port_num 	  = (be32_to_cpu(path->port_pkey) >> 24) & 0x3;
 
 	if (ib_ah_attr->port_num == 0 || ib_ah_attr->port_num > dev->limits.num_ports)
-- 
1.4.4.1




More information about the general mailing list