diff options
author | Eli Cohen <eli@dev.mellanox.co.il> | 2014-09-14 15:47:53 +0200 |
---|---|---|
committer | Roland Dreier <roland@purestorage.com> | 2014-10-09 09:08:40 +0200 |
commit | 1c3ce90d0acb0c661910dd84f416b3053e9710af (patch) | |
tree | f9023638d399fa1f01e52c7d68f537ff50c8bcac /drivers/infiniband | |
parent | IB/core: Avoid leakage from kernel to user space (diff) | |
download | linux-1c3ce90d0acb0c661910dd84f416b3053e9710af.tar.xz linux-1c3ce90d0acb0c661910dd84f416b3053e9710af.zip |
IB/mlx5: Fix possible array overflow
The check to verify that userspace does not provide an invalid index to the
micro UAR was placed too late. Fix this by moving the check before using the
index.
Reported by: Shachar Raindel <raindel@mellanox.com>
Signed-off-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Diffstat (limited to 'drivers/infiniband')
-rw-r--r-- | drivers/infiniband/hw/mlx5/main.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index ecd3aebc46fe..a24431746377 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -650,13 +650,13 @@ static int mlx5_ib_mmap(struct ib_ucontext *ibcontext, struct vm_area_struct *vm return -EINVAL; idx = get_index(vma->vm_pgoff); + if (idx >= uuari->num_uars) + return -EINVAL; + pfn = uar_index2pfn(dev, uuari->uars[idx].index); mlx5_ib_dbg(dev, "uar idx 0x%lx, pfn 0x%llx\n", idx, (unsigned long long)pfn); - if (idx >= uuari->num_uars) - return -EINVAL; - vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot); if (io_remap_pfn_range(vma, vma->vm_start, pfn, PAGE_SIZE, vma->vm_page_prot)) |