aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/mlx4
diff options
context:
space:
mode:
authorJack Morgenstein <jackm@dev.mellanox.co.il>2007-11-20 16:01:28 -0500
committerRoland Dreier <rolandd@cisco.com>2007-11-20 16:01:28 -0500
commit9ed87fd34c97a998e63505718ce7e107a23c84c3 (patch)
tree137e38d8fed9a1b43f34f0ed009ff6ea048ac884 /drivers/net/mlx4
parent4187b915a0f7eaa69707715e80d9fc253ff6167a (diff)
mlx4_core: Fix state check in mlx4_qp_modify()
When checking the states passed in, mlx4_qp_modify() accidentally checks cur_state twice rather than checking cur_state and new_state. Fix this to make sure that both values are in-bounds. Since these values may be passed in from userspace, this bug results in userspace being able to trigger an oops. Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> Cc: stable <stable@kernel.org> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/net/mlx4')
-rw-r--r--drivers/net/mlx4/qp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/mlx4/qp.c b/drivers/net/mlx4/qp.c
index 42b47639c81c..fa24e6597591 100644
--- a/drivers/net/mlx4/qp.c
+++ b/drivers/net/mlx4/qp.c
@@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
113 struct mlx4_cmd_mailbox *mailbox; 113 struct mlx4_cmd_mailbox *mailbox;
114 int ret = 0; 114 int ret = 0;
115 115
116 if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE || 116 if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE ||
117 !op[cur_state][new_state]) 117 !op[cur_state][new_state])
118 return -EINVAL; 118 return -EINVAL;
119 119