mirror of
https://git.proxmox.com/git/mirror_ubuntu-kernels.git
synced 2025-11-26 15:36:29 +00:00
24797a3442
nes_reg_user_mr() should fail if page_count becomes >= 1024 * 512 rather than just testing for strict >, because page_count is essentially used as an index into an array with 1024 * 512 entries, so allowing the loop to continue with page_count == 1024 * 512 means that memory after the end of the array is corrupted. This leads to a crash triggerable by a userspace application that requests registration of a too-big region. Also get rid of the call to pci_free_consistent() here to avoid corrupting state with a double free, since the same memory will be freed in the code jumped to at reg_user_mr_err. Signed-off-by: Roland Dreier <rolandd@cisco.com> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| nes_cm.c | ||
| nes_cm.h | ||
| nes_context.h | ||
| nes_hw.c | ||
| nes_hw.h | ||
| nes_nic.c | ||
| nes_user.h | ||
| nes_utils.c | ||
| nes_verbs.c | ||
| nes_verbs.h | ||
| nes.c | ||
| nes.h | ||