Commit e6be763f authored by Michael Chan's avatar Michael Chan Committed by David S. Miller

[BNX2]: Fix bug in bnx2_nvram_write().

The bug was a bogus pointer being passed to kfree().  The pointer was
incremented in the write loop and then passed to kfree().

The fix is to use align_buf to save the original address.
Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 253c8b75
...@@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, ...@@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
int buf_size) int buf_size)
{ {
u32 written, offset32, len32; u32 written, offset32, len32;
u8 *buf, start[4], end[4], *flash_buffer = NULL; u8 *buf, start[4], end[4], *align_buf = NULL, *flash_buffer = NULL;
int rc = 0; int rc = 0;
int align_start, align_end; int align_start, align_end;
...@@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, ...@@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
} }
if (align_start || align_end) { if (align_start || align_end) {
buf = kmalloc(len32, GFP_KERNEL); align_buf = kmalloc(len32, GFP_KERNEL);
if (buf == NULL) if (align_buf == NULL)
return -ENOMEM; return -ENOMEM;
if (align_start) { if (align_start) {
memcpy(buf, start, 4); memcpy(align_buf, start, 4);
} }
if (align_end) { if (align_end) {
memcpy(buf + len32 - 4, end, 4); memcpy(align_buf + len32 - 4, end, 4);
} }
memcpy(buf + align_start, data_buf, buf_size); memcpy(align_buf + align_start, data_buf, buf_size);
buf = align_buf;
} }
if (bp->flash_info->buffered == 0) { if (bp->flash_info->buffered == 0) {
...@@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, ...@@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
} }
nvram_write_end: nvram_write_end:
if (bp->flash_info->buffered == 0) kfree(flash_buffer);
kfree(flash_buffer); kfree(align_buf);
if (align_start || align_end)
kfree(buf);
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment