From: tzachid <tzachid@ad392aa1-c5ef-ae45-8dd8-e69d62a5ef86>
Date: Tue, 26 Aug 2008 11:50:45 +0000 (+0000)
Subject: [MTHCA] Fix off-by-one in FMR handling on memfree (mlnx: 2957)
X-Git-Url: https://openfabrics.org/gitweb/?a=commitdiff_plain;h=8473644a2ac7602c389c1f86a9cb849c6b3a59f4;p=~shefty%2Frdma-win.git

[MTHCA] Fix off-by-one in FMR handling on memfree (mlnx: 2957)
(Linux, 05/01/07, Michael S. Tsirkin, commit: 46707e96b7254663139225ab6c9ab9922cd8c435)

mthca_table_find() will return the wrong address when the table entry
being searched for is exactly at the beginning of a sglist entry
(other than the first), because it uses >= when it should use >.

Example: assume we have 2 entries in scatterlist, 4K each, offset is
4K.  The current code will return first entry + 4K when we really want
the second entry.

In particular this means mapping an FMR on a memfree HCA may end up
writing the page table into the wrong place, leading to memory
corruption and also causing the HCA to use an incorrect address
translation table.

git-svn-id: svn://openib.tc.cornell.edu/gen1@1507 ad392aa1-c5ef-ae45-8dd8-e69d62a5ef86
---

diff --git a/trunk/hw/mthca/kernel/mthca_memfree.c b/trunk/hw/mthca/kernel/mthca_memfree.c
index 975ce6ab..a781f116 100644
--- a/trunk/hw/mthca/kernel/mthca_memfree.c
+++ b/trunk/hw/mthca/kernel/mthca_memfree.c
@@ -248,7 +248,7 @@ void *mthca_table_find(struct mthca_icm_table *table, int obj)
 
 	list_for_each_entry(chunk, &icm->chunk_list, list,struct mthca_icm_chunk) {
 		for (i = 0; i < chunk->npages; ++i) {
-			if ((int)chunk->mem[i].length >= offset) {
+			if ((int)chunk->mem[i].length > offset) {
 				page = chunk->mem[i].page;
 				goto out;
 			}