From: Jack Morgenstein Date: Tue, 20 Nov 2007 21:01:28 +0000 (-0800) Subject: mlx4_core: Fix state check in mlx4_qp_modify() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9ed87fd34c97a998e63505718ce7e107a23c84c3;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git mlx4_core: Fix state check in mlx4_qp_modify() When checking the states passed in, mlx4_qp_modify() accidentally checks cur_state twice rather than checking cur_state and new_state. Fix this to make sure that both values are in-bounds. Since these values may be passed in from userspace, this bug results in userspace being able to trigger an oops. Signed-off-by: Jack Morgenstein Cc: stable Signed-off-by: Roland Dreier --- diff --git a/drivers/net/mlx4/qp.c b/drivers/net/mlx4/qp.c index 42b47639c81c..fa24e6597591 100644 --- a/drivers/net/mlx4/qp.c +++ b/drivers/net/mlx4/qp.c @@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt, struct mlx4_cmd_mailbox *mailbox; int ret = 0; - if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE || + if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE || !op[cur_state][new_state]) return -EINVAL;