RDMA/mthca: Use correct sizing on buffers holding page DMA addresses The buffer that holds the page DMA addresses is sized off umem->nmap. This can potentially cause out of bound accesses on the PBL array when iterating the umem DMA-mapped SGL. This is because if umem pages are combined, umem->nmap can be much lower than the number of system pages in umem. Use ib_umem_num_pages() to size this buffer. Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

commit: 41d34865b24c6a0b594b0a69bfe9ea56dff5abcd [log] [tgz]
author: Shiraz Saleem <shiraz.saleem@intel.com> Thu Mar 28 11:49:45 2019 -0500
committer: Jason Gunthorpe <jgg@mellanox.com> Thu Mar 28 14:13:27 2019 -0300
tree: f8c21b06f980dd2585c4c13d6cb3bb668a3a0fea
parent: 5f818d676ac455bbc812ffaaf5bf780be5465114 [diff]
diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c
index d063d7a..35c3119 100644
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c

@@ -914,7 +914,7 @@
 		goto err;
 	}
 
-	n = mr->umem->nmap;
+	n = ib_umem_num_pages(mr->umem);
 
 	mr->mtt = mthca_alloc_mtt(dev, n);
 	if (IS_ERR(mr->mtt)) {
commit	41d34865b24c6a0b594b0a69bfe9ea56dff5abcd	[log] [tgz]
author	Shiraz Saleem <shiraz.saleem@intel.com>	Thu Mar 28 11:49:45 2019 -0500
committer	Jason Gunthorpe <jgg@mellanox.com>	Thu Mar 28 14:13:27 2019 -0300
tree	f8c21b06f980dd2585c4c13d6cb3bb668a3a0fea
parent	5f818d676ac455bbc812ffaaf5bf780be5465114 [diff]