From: Zhu Yanjun <yanjun.zhu@oracle.com>
Date: Fri, 25 Jan 2019 02:14:52 +0000 (-0500)
Subject: net: rds: fix excess initialization of the recv SGEs
X-Git-Tag: v4.1.12-124.31.3~297
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f00f2cc6fb4eba8b0423d1081adf969433f38560;p=users%2Fjedix%2Flinux-maple.git

net: rds: fix excess initialization of the recv SGEs

In rds_ib_recv_init_ring(), an excess array element is incorrectly
initialized. This is not an OOB situation, as the sge array is
initialized to eight entries. With a fragment size of a maximum of 16KiB
and a page size of minimum 4KiB, then num_send_sge can at most become
five.

Orabug: 29004503

Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
Reviewed-by: HÃ¥kon Bugge <haakon.bugge@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
---

diff --git a/net/rds/ib_recv.c b/net/rds/ib_recv.c
index d07bc2b285ec..c0fb3cf3b947 100644
--- a/net/rds/ib_recv.c
+++ b/net/rds/ib_recv.c
@@ -81,7 +81,7 @@ void rds_ib_recv_init_ring(struct rds_ib_connection *ic)
 		sge->length = sizeof(struct rds_header);
 		sge->lkey = ic->i_mr->lkey;
 
-		for (j = 1; j <= num_send_sge; j++) {
+		for (j = 1; j < num_send_sge; j++) {
 			sge = recv->r_sge + j;
 			sge->addr = 0;
 			sge->length = PAGE_SIZE;