summaryrefslogtreecommitdiffstats
path: root/drivers/net/mlx4/qp.c
diff options
context:
space:
mode:
authorJack Morgenstein <jackm@dev.mellanox.co.il>2007-11-20 22:01:28 +0100
committerRoland Dreier <rolandd@cisco.com>2007-11-20 22:01:28 +0100
commit9ed87fd34c97a998e63505718ce7e107a23c84c3 (patch)
tree137e38d8fed9a1b43f34f0ed009ff6ea048ac884 /drivers/net/mlx4/qp.c
parentIB/ipath: Normalize error return codes for posting work requests (diff)
downloadlinux-9ed87fd34c97a998e63505718ce7e107a23c84c3.tar.xz
linux-9ed87fd34c97a998e63505718ce7e107a23c84c3.zip
mlx4_core: Fix state check in mlx4_qp_modify()
When checking the states passed in, mlx4_qp_modify() accidentally checks cur_state twice rather than checking cur_state and new_state. Fix this to make sure that both values are in-bounds. Since these values may be passed in from userspace, this bug results in userspace being able to trigger an oops. Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> Cc: stable <stable@kernel.org> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/net/mlx4/qp.c')
-rw-r--r--drivers/net/mlx4/qp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/mlx4/qp.c b/drivers/net/mlx4/qp.c
index 42b47639c81c..fa24e6597591 100644
--- a/drivers/net/mlx4/qp.c
+++ b/drivers/net/mlx4/qp.c
@@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
struct mlx4_cmd_mailbox *mailbox;
int ret = 0;
- if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE ||
+ if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE ||
!op[cur_state][new_state])
return -EINVAL;