Commit 16c59419 authored by Ralph Campbell's avatar Ralph Campbell Committed by Roland Dreier

IB/ipath: ipath_skip_sge() can break if num_sge > 1

ipath_skip_sge() doesn't exactly duplicate the side effects of
ipath_copy_sge() if num_sge > 1 since it doesn't decrement ss->num_sge.
This could result in the sg_list being accessed out of bounds.
Since ipath_skip_sge() is almost always called with num_sge == 1,
the original "optimization" is almost never used.
Signed-off-by: default avatarRalph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent c9f79bdc
...@@ -191,10 +191,6 @@ void ipath_skip_sge(struct ipath_sge_state *ss, u32 length) ...@@ -191,10 +191,6 @@ void ipath_skip_sge(struct ipath_sge_state *ss, u32 length)
{ {
struct ipath_sge *sge = &ss->sge; struct ipath_sge *sge = &ss->sge;
while (length > sge->sge_length) {
length -= sge->sge_length;
ss->sge = *ss->sg_list++;
}
while (length) { while (length) {
u32 len = sge->length; u32 len = sge->length;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment