From bf1d8edb38bbf0628c1f2de7d13ab98533c1fe60 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 19 May 2020 18:45:25 +0300 Subject: [PATCH] RDMA/rtrs: Fix a couple off by one bugs in rtrs_srv_rdma_done() These > comparisons should be >= to prevent accessing one element beyond the end of the buffer. Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") Link: https://lore.kernel.org/r/20200519154525.GA66801@mwanda Signed-off-by: Dan Carpenter Acked-by: Danil Kipnis Signed-off-by: Jason Gunthorpe --- drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c index eefd149ce7a4..863b3942e333 100644 --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c @@ -1213,8 +1213,8 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc) msg_id = imm_payload >> sess->mem_bits; off = imm_payload & ((1 << sess->mem_bits) - 1); - if (unlikely(msg_id > srv->queue_depth || - off > max_chunk_size)) { + if (unlikely(msg_id >= srv->queue_depth || + off >= max_chunk_size)) { rtrs_err(s, "Wrong msg_id %u, off %u\n", msg_id, off); close_sess(sess); -- 2.34.1