From: Matan Barak Date: Tue, 27 Jan 2015 13:58:07 +0000 (+0200) Subject: net/mlx4: Fix memory corruption in mlx4_MAD_IFC_wrapper X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=19ab574f6271a2f912a449cfdea14a60098fba90;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git net/mlx4: Fix memory corruption in mlx4_MAD_IFC_wrapper Fix a memory corruption at mlx4_MAD_IFC_wrapper. A table of size dev->caps.pkey_table_len[port]*sizeof(*table) was allocated, but get_full_pkey_table() assumes that the number of entries in the table is a multiplication of 32 (which isn't always correct). Fixes: 0a9a018 ('mlx4: MAD_IFC paravirtualization') Signed-off-by: Matan Barak Signed-off-by: Or Gerlitz Signed-off-by: Amir Vadai Signed-off-by: David S. Miller --- diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c index 928b7065732c..154effbfd8be 100644 --- a/drivers/net/ethernet/mellanox/mlx4/cmd.c +++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c @@ -901,7 +901,9 @@ static int mlx4_MAD_IFC_wrapper(struct mlx4_dev *dev, int slave, index = be32_to_cpu(smp->attr_mod); if (port < 1 || port > dev->caps.num_ports) return -EINVAL; - table = kcalloc(dev->caps.pkey_table_len[port], sizeof *table, GFP_KERNEL); + table = kcalloc((dev->caps.pkey_table_len[port] / 32) + 1, + sizeof(*table) * 32, GFP_KERNEL); + if (!table) return -ENOMEM; /* need to get the full pkey table because the paravirtualized