diff options
author | Michael Chan <mchan@broadcom.com> | 2007-01-08 19:56:13 -0800 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-01-09 00:30:04 -0800 |
commit | e6be763f63420c334710a5a0818e6bfcf5d593f8 (patch) | |
tree | 7ff84d869b78f73b1ee22f9d9deff44899661263 | |
parent | 253c8b75546c5f21d5321d691df92c1e84d9b0fb (diff) | |
download | lwn-e6be763f63420c334710a5a0818e6bfcf5d593f8.tar.gz lwn-e6be763f63420c334710a5a0818e6bfcf5d593f8.zip |
[BNX2]: Fix bug in bnx2_nvram_write().
The bug was a bogus pointer being passed to kfree(). The pointer was
incremented in the write loop and then passed to kfree().
The fix is to use align_buf to save the original address.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/bnx2.c | 20 |
1 files changed, 9 insertions, 11 deletions
diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index e325f9337225..08a77a36b4c6 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, int buf_size) { u32 written, offset32, len32; - u8 *buf, start[4], end[4], *flash_buffer = NULL; + u8 *buf, start[4], end[4], *align_buf = NULL, *flash_buffer = NULL; int rc = 0; int align_start, align_end; @@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } if (align_start || align_end) { - buf = kmalloc(len32, GFP_KERNEL); - if (buf == NULL) + align_buf = kmalloc(len32, GFP_KERNEL); + if (align_buf == NULL) return -ENOMEM; if (align_start) { - memcpy(buf, start, 4); + memcpy(align_buf, start, 4); } if (align_end) { - memcpy(buf + len32 - 4, end, 4); + memcpy(align_buf + len32 - 4, end, 4); } - memcpy(buf + align_start, data_buf, buf_size); + memcpy(align_buf + align_start, data_buf, buf_size); + buf = align_buf; } if (bp->flash_info->buffered == 0) { @@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } nvram_write_end: - if (bp->flash_info->buffered == 0) - kfree(flash_buffer); - - if (align_start || align_end) - kfree(buf); + kfree(flash_buffer); + kfree(align_buf); return rc; } |