[ofa-general] [PATCH] mlx4: fix qp state bounds check for mlx4_qp_modify

[Jack Morgenstein]

mlx4: fix state check in mlx4_qp_modify.

cur_state is mistakenly checked twice.  One of the
checks should use new_state, rather than cur_state,
so that the subsequent array-value check will have
in-bounds indices.

Signed-off-by: Jack Morgenstein <jackm at dev.mellanox.co.il>

---

This one has been around since commit 225c7b1feef1b41170f7037a5b10a65cd8a42c54,
and even survived commit 287aa83dffd1b39859f49d73b0d67f57106de5f1.

Its an Oops waiting to happen. Please commit this as a bug fix to 2.6.24

diff --git a/drivers/net/mlx4/qp.c b/drivers/net/mlx4/qp.c
index cc4b1be..c17b19d 100644
--- a/drivers/net/mlx4/qp.c
+++ b/drivers/net/mlx4/qp.c
@@ -113,7 +113,7 @@ int mlx4_qp_modify(struct mlx4_dev *dev, struct mlx4_mtt *mtt,
 	struct mlx4_cmd_mailbox *mailbox;
 	int ret = 0;
 
-	if (cur_state >= MLX4_QP_NUM_STATE || cur_state >= MLX4_QP_NUM_STATE ||
+	if (cur_state >= MLX4_QP_NUM_STATE || new_state >= MLX4_QP_NUM_STATE ||
 	    !op[cur_state][new_state])
 		return -EINVAL;