[ofa-general] [PATCH] IB/mthca: Read buffer overflow

Fri Aug 7 14:02:34 PDT 2009

If the QP was found in MGM in the first iteration, and we break out of
the loop, i == 0 and we read and write mgm->qp[-1].

Signed-off-by: Roel Kluin <roel.kluin at gmail.com>
---
Not entirely sure whether it can happen

diff --git a/drivers/infiniband/hw/mthca/mthca_mcg.c b/drivers/infiniband/hw/mthca/mthca_mcg.c
index d4c8105..fd72665 100644
--- a/drivers/infiniband/hw/mthca/mthca_mcg.c
+++ b/drivers/infiniband/hw/mthca/mthca_mcg.c
@@ -272,8 +272,10 @@ int mthca_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid)
 		goto out;
 	}
 
-	mgm->qp[loc]   = mgm->qp[i - 1];
-	mgm->qp[i - 1] = 0;
+	if (i != 0) {
+		mgm->qp[loc]   = mgm->qp[i - 1];
+		mgm->qp[i - 1] = 0;
+	}
 
 	err = mthca_WRITE_MGM(dev, index, mailbox, &status);
 	if (err)

