From: Roland Dreier <rolandd@cisco.com>
Date: Tue, 10 Jun 2008 19:29:49 +0000 (-0700)
Subject: RDMA/nes: Fix off-by-one in nes_reg_user_mr() error path
X-Git-Tag: v2.6.26-rc7~15^2~1
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24797a344293601f14f49e2d259c3ca447c4f802;p=pandora-kernel.git

RDMA/nes: Fix off-by-one in nes_reg_user_mr() error path

nes_reg_user_mr() should fail if page_count becomes >= 1024 * 512
rather than just testing for strict >, because page_count is
essentially used as an index into an array with 1024 * 512 entries, so
allowing the loop to continue with page_count == 1024 * 512 means that
memory after the end of the array is corrupted.  This leads to a crash
triggerable by a userspace application that requests registration of a
too-big region.

Also get rid of the call to pci_free_consistent() here to avoid
corrupting state with a double free, since the same memory will be
freed in the code jumped to at reg_user_mr_err.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
---

Reading git-diff-tree failed