summaryrefslogtreecommitdiffstats
path: root/drivers/infiniband
diff options
context:
space:
mode:
authorEli Cohen <eli@dev.mellanox.co.il>2014-09-14 15:47:53 +0200
committerRoland Dreier <roland@purestorage.com>2014-10-09 09:08:40 +0200
commit1c3ce90d0acb0c661910dd84f416b3053e9710af (patch)
treef9023638d399fa1f01e52c7d68f537ff50c8bcac /drivers/infiniband
parentIB/core: Avoid leakage from kernel to user space (diff)
downloadlinux-1c3ce90d0acb0c661910dd84f416b3053e9710af.tar.xz
linux-1c3ce90d0acb0c661910dd84f416b3053e9710af.zip
IB/mlx5: Fix possible array overflow
The check to verify that userspace does not provide an invalid index to the micro UAR was placed too late. Fix this by moving the check before using the index. Reported by: Shachar Raindel <raindel@mellanox.com> Signed-off-by: Eli Cohen <eli@mellanox.com> Signed-off-by: Roland Dreier <roland@purestorage.com>
Diffstat (limited to 'drivers/infiniband')
-rw-r--r--drivers/infiniband/hw/mlx5/main.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index ecd3aebc46fe..a24431746377 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -650,13 +650,13 @@ static int mlx5_ib_mmap(struct ib_ucontext *ibcontext, struct vm_area_struct *vm
return -EINVAL;
idx = get_index(vma->vm_pgoff);
+ if (idx >= uuari->num_uars)
+ return -EINVAL;
+
pfn = uar_index2pfn(dev, uuari->uars[idx].index);
mlx5_ib_dbg(dev, "uar idx 0x%lx, pfn 0x%llx\n", idx,
(unsigned long long)pfn);
- if (idx >= uuari->num_uars)
- return -EINVAL;
-
vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
if (io_remap_pfn_range(vma, vma->vm_start, pfn,
PAGE_SIZE, vma->vm_page_prot))