mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms[] array

ib_map_mr_sg() can pass an SG-list to .map_mr_sg() that is larger
than what fits into a single MR. .map_mr_sg() must not attempt to
map more SG-list elements than what fits into a single MR.
Hence make sure that mlx5_ib_sg_to_klms() does not write outside
the MR klms[] array.

Fixes: b005d31 ("mlx5: Add arbitrary sg list support")
Signed-off-by: Bart Van Assche <[email protected]>
Reviewed-by: Max Gurtovoy <[email protected]>
Cc: Sagi Grimberg <[email protected]>
Cc: Leon Romanovsky <[email protected]>
Cc: Israel Rukshin <[email protected]>
Cc: <[email protected]>
Acked-by: Leon Romanovsky <[email protected]>
Reviewed-by: Sagi Grimberg <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>

Author: Bart Van Assche

drivers/infiniband/hw/mlx5/mr.c

@@ -1779,7 +1779,7 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr,
 	mr->ndescs = sg_nents;
 
 	for_each_sg(sgl, sg, sg_nents, i) {
-		if (unlikely(i > mr->max_descs))
+		if (unlikely(i >= mr->max_descs))
 			break;
 		klms[i].va = cpu_to_be64(sg_dma_address(sg) + sg_offset);
 		klms[i].bcount = cpu_to_be32(sg_dma_len(sg) - sg_offset);