diff options
author | Michael Chan <mchan@broadcom.com> | 2007-01-08 22:56:13 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-01-09 03:30:04 -0500 |
commit | e6be763f63420c334710a5a0818e6bfcf5d593f8 (patch) | |
tree | 7ff84d869b78f73b1ee22f9d9deff44899661263 | |
parent | 253c8b75546c5f21d5321d691df92c1e84d9b0fb (diff) |
[BNX2]: Fix bug in bnx2_nvram_write().
The bug was a bogus pointer being passed to kfree(). The pointer was
incremented in the write loop and then passed to kfree().
The fix is to use align_buf to save the original address.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/bnx2.c | 20 |
1 files changed, 9 insertions, 11 deletions
diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index e325f9337225..08a77a36b4c6 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c | |||
@@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, | |||
3083 | int buf_size) | 3083 | int buf_size) |
3084 | { | 3084 | { |
3085 | u32 written, offset32, len32; | 3085 | u32 written, offset32, len32; |
3086 | u8 *buf, start[4], end[4], *flash_buffer = NULL; | 3086 | u8 *buf, start[4], end[4], *align_buf = NULL, *flash_buffer = NULL; |
3087 | int rc = 0; | 3087 | int rc = 0; |
3088 | int align_start, align_end; | 3088 | int align_start, align_end; |
3089 | 3089 | ||
@@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, | |||
3111 | } | 3111 | } |
3112 | 3112 | ||
3113 | if (align_start || align_end) { | 3113 | if (align_start || align_end) { |
3114 | buf = kmalloc(len32, GFP_KERNEL); | 3114 | align_buf = kmalloc(len32, GFP_KERNEL); |
3115 | if (buf == NULL) | 3115 | if (align_buf == NULL) |
3116 | return -ENOMEM; | 3116 | return -ENOMEM; |
3117 | if (align_start) { | 3117 | if (align_start) { |
3118 | memcpy(buf, start, 4); | 3118 | memcpy(align_buf, start, 4); |
3119 | } | 3119 | } |
3120 | if (align_end) { | 3120 | if (align_end) { |
3121 | memcpy(buf + len32 - 4, end, 4); | 3121 | memcpy(align_buf + len32 - 4, end, 4); |
3122 | } | 3122 | } |
3123 | memcpy(buf + align_start, data_buf, buf_size); | 3123 | memcpy(align_buf + align_start, data_buf, buf_size); |
3124 | buf = align_buf; | ||
3124 | } | 3125 | } |
3125 | 3126 | ||
3126 | if (bp->flash_info->buffered == 0) { | 3127 | if (bp->flash_info->buffered == 0) { |
@@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, | |||
3254 | } | 3255 | } |
3255 | 3256 | ||
3256 | nvram_write_end: | 3257 | nvram_write_end: |
3257 | if (bp->flash_info->buffered == 0) | 3258 | kfree(flash_buffer); |
3258 | kfree(flash_buffer); | 3259 | kfree(align_buf); |
3259 | |||
3260 | if (align_start || align_end) | ||
3261 | kfree(buf); | ||
3262 | return rc; | 3260 | return rc; |
3263 | } | 3261 | } |
3264 | 3262 | ||