net: rds: fix excess initialization of the recv SGEs

In rds_ib_recv_init_ring(), an excess array element is incorrectly
initialized. This is not an OOB situation, as the sge array is
initialized to eight entries. With a fragment size of a maximum of 16KiB
and a page size of minimum 4KiB, then num_send_sge can at most become
five.

Orabug: 29004503

Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
Reviewed-by: HÃ¥kon Bugge <haakon.bugge@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/net/rds/ib_recv.c b/net/rds/ib_recv.c
index d07bc2b285ece33bdd2fe286fd9779dde96bc206..c0fb3cf3b947c2b98631dafc743d99d8e32d8928 100644 (file)
--- a/net/rds/ib_recv.c
+++ b/net/rds/ib_recv.c
@@ -81,7 +81,7 @@ void rds_ib_recv_init_ring(struct rds_ib_connection *ic)
                sge->length = sizeof(struct rds_header);
                sge->lkey = ic->i_mr->lkey;
 
-               for (j = 1; j <= num_send_sge; j++) {
+               for (j = 1; j < num_send_sge; j++) {
                        sge = recv->r_sge + j;
                        sge->addr = 0;
                        sge->length = PAGE_SIZE;