summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Chan <mchan@broadcom.com>2007-01-08 19:56:13 -0800
committerDavid S. Miller <davem@sunset.davemloft.net>2007-01-09 00:30:04 -0800
commite6be763f63420c334710a5a0818e6bfcf5d593f8 (patch)
tree7ff84d869b78f73b1ee22f9d9deff44899661263
parent253c8b75546c5f21d5321d691df92c1e84d9b0fb (diff)
downloadlwn-e6be763f63420c334710a5a0818e6bfcf5d593f8.tar.gz
lwn-e6be763f63420c334710a5a0818e6bfcf5d593f8.zip
[BNX2]: Fix bug in bnx2_nvram_write().
The bug was a bogus pointer being passed to kfree(). The pointer was incremented in the write loop and then passed to kfree(). The fix is to use align_buf to save the original address. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/bnx2.c20
1 files changed, 9 insertions, 11 deletions
diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
index e325f9337225..08a77a36b4c6 100644
--- a/drivers/net/bnx2.c
+++ b/drivers/net/bnx2.c
@@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
int buf_size)
{
u32 written, offset32, len32;
- u8 *buf, start[4], end[4], *flash_buffer = NULL;
+ u8 *buf, start[4], end[4], *align_buf = NULL, *flash_buffer = NULL;
int rc = 0;
int align_start, align_end;
@@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
}
if (align_start || align_end) {
- buf = kmalloc(len32, GFP_KERNEL);
- if (buf == NULL)
+ align_buf = kmalloc(len32, GFP_KERNEL);
+ if (align_buf == NULL)
return -ENOMEM;
if (align_start) {
- memcpy(buf, start, 4);
+ memcpy(align_buf, start, 4);
}
if (align_end) {
- memcpy(buf + len32 - 4, end, 4);
+ memcpy(align_buf + len32 - 4, end, 4);
}
- memcpy(buf + align_start, data_buf, buf_size);
+ memcpy(align_buf + align_start, data_buf, buf_size);
+ buf = align_buf;
}
if (bp->flash_info->buffered == 0) {
@@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf,
}
nvram_write_end:
- if (bp->flash_info->buffered == 0)
- kfree(flash_buffer);
-
- if (align_start || align_end)
- kfree(buf);
+ kfree(flash_buffer);
+ kfree(align_buf);
return rc;
}