mlx4_core: Fix state check in mlx4_qp_modify()

When checking the states passed in, mlx4_qp_modify() accidentally checks
cur_state twice rather than checking cur_state and new_state.  Fix this
to make sure that both values are in-bounds.

Since these values may be passed in from userspace, this bug results in
userspace being able to trigger an oops.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Cc: stable <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/net/mlx4/qp.c b/drivers/net/mlx4/qp.c
index 42b47639c81cb6f4753ea728bd86d81d060c5792..fa24e6597591fc0f10ab11158ead02051f884a6d 100644 (file)
--- a/drivers/net/mlx4/qp.c
+++ b/drivers/net/mlx4/qp.c
@@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
        struct mlx4_cmd_mailbox *mailbox;
        int ret = 0;
 
-       if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE ||
+       if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE ||
            !op[cur_state][new_state])
                return -EINVAL;