mlx4_core: Fix state check in mlx4_qp_modify()

When checking the states passed in, mlx4_qp_modify() accidentally checks cur_state twice rather than checking cur_state and new_state. Fix this to make sure that both values are in-bounds. Since these values may be passed in from userspace, this bug results in userspace being able to trigger an oops. Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> Cc: stable <stable@kernel.org> Signed-off-by: Roland Dreier <rolandd@cisco.com>
git-mirror · Nov 20, 2007 · 9ed87fd · 9ed87fd
1 parent 4187b91
commit 9ed87fd
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/net/mlx4/qp.c b/drivers/net/mlx4/qp.c
@@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
 	struct mlx4_cmd_mailbox *mailbox;
 	int ret = 0;
 
-	if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE ||
+	if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE ||
 	    !op[cur_state][new_state])
 		return -EINVAL;