Re: [PATCH] ibmveth: Fix off-by-one error in ibmveth_change_mtu()

[David Gibson]

On Tue, Apr 14, 2015 at 10:33:18AM -0500, Thomas Falcon wrote:
> On 04/13/2015 12:39 AM, David Gibson wrote:
> > AFAIK the PAPR document which defines the virtual device interface used by
> > the ibmveth driver doesn't specify a specific maximum MTU.  So, in the
> > ibmveth driver, the maximum allowed MTU is determined by the maximum
> > allocated buffer size of 64k (corresponding to one page in the common case)
> > minus the per-buffer overhead IBMVETH_BUFF_OH (which has value 22 for 14
> > bytes of ethernet header, plus 8 bytes for an opaque handle).
> >
> > This suggests a maximum allowable MTU of 65514 bytes, but in fact the
> > driver only permits a maximum MTU of 65513.  This is because there is a <
> > instead of an <= in ibmveth_change_mtu(), which only permits an MTU which
> > is strictly smaller than the buffer size, rather than allowing the buffer
> > to be completely filled.
> >
> > This patch fixes the buglet.
> 
> 
> The same expression is made using < just a few lines above.  Shouldn't this be changed to <= too?
> 
> @@ -1238,7 +1238,7 @@ static int ibmveth_change_mtu(struct net_device *dev, int new_mtu)
>                 return -EINVAL;
>  
>         for (i = 0; i < IBMVETH_NUM_BUFF_POOLS; i++)
> -               if (new_mtu_oh < adapter->rx_buff_pool[i].buff_size)
> +               if (new_mtu_oh <= adapter->rx_buff_pool[i].buff_size)
>                         break;
>  
>         if (i == IBMVETH_NUM_BUFF_POOLS)

Yes, yes it should.

Good catch, thanks.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

Attachment: pgpBG7jZnFxw1.pgp
Description: PGP signature