mlx4_core: Fix state check in mlx4_qp_modify()
When checking the states passed in, mlx4_qp_modify() accidentally checks cur_state twice rather than checking cur_state and new_state. Fix this to make sure that both values are in-bounds. Since these values may be passed in from userspace, this bug results in userspace being able to trigger an oops. Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> Cc: stable <stable@kernel.org> Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
parent
4187b915a0
commit
9ed87fd34c
|
@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
|
|||
struct mlx4_cmd_mailbox *mailbox;
|
||||
int ret = 0;
|
||||
|
||||
if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE ||
|
||||
if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE ||
|
||||
!op[cur_state][new_state])
|
||||
return -EINVAL;
|
||||
|
||||
|
|
Loading…
Reference in New Issue