From: Michael Chan Date: Tue, 9 Jan 2007 03:56:13 +0000 (-0800) Subject: [BNX2]: Fix bug in bnx2_nvram_write(). X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e6be763f63420c334710a5a0818e6bfcf5d593f8;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [BNX2]: Fix bug in bnx2_nvram_write(). The bug was a bogus pointer being passed to kfree(). The pointer was incremented in the write loop and then passed to kfree(). The fix is to use align_buf to save the original address. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index e325f9337225..08a77a36b4c6 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, int buf_size) { u32 written, offset32, len32; - u8 *buf, start[4], end[4], *flash_buffer = NULL; + u8 *buf, start[4], end[4], *align_buf = NULL, *flash_buffer = NULL; int rc = 0; int align_start, align_end; @@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } if (align_start || align_end) { - buf = kmalloc(len32, GFP_KERNEL); - if (buf == NULL) + align_buf = kmalloc(len32, GFP_KERNEL); + if (align_buf == NULL) return -ENOMEM; if (align_start) { - memcpy(buf, start, 4); + memcpy(align_buf, start, 4); } if (align_end) { - memcpy(buf + len32 - 4, end, 4); + memcpy(align_buf + len32 - 4, end, 4); } - memcpy(buf + align_start, data_buf, buf_size); + memcpy(align_buf + align_start, data_buf, buf_size); + buf = align_buf; } if (bp->flash_info->buffered == 0) { @@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } nvram_write_end: - if (bp->flash_info->buffered == 0) - kfree(flash_buffer); - - if (align_start || align_end) - kfree(buf); + kfree(flash_buffer); + kfree(align_buf); return rc; }