From: Yuval Mintz <Yuval.Mintz@qlogic.com>
Date: Mon, 19 Sep 2016 14:47:41 +0000 (+0300)
Subject: qed: Fix stack corruption on probe
X-Git-Tag: v4.1.12-93~2^2~244
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=97d21d6c036deb60b3fca42f00f8f4072a5b8be8;p=users%2Fjedix%2Flinux-maple.git

qed: Fix stack corruption on probe

Orabug: 25477939

Commit fe56b9e6a8d95 ("qed: Add module with basic common support")
has introduced a stack corruption during probe, where filling a
local struct with data to be sent to management firmware is incorrectly
filled; The data is written outside of the struct and corrupts
the stack.

Changes from v1:
----------------
 - Correct the value written [Caught by David Laight]

Fixes: fe56b9e6a8d95 ("qed: Add module with basic common support")
Signed-off-by: Yuval Mintz <Yuval.Mintz@caviumnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 67a99b7061c07b190ac6c39f136afedbb7aa86e9)
Signed-off-by: Brian Maly <brian.maly@oracle.com>
---

diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
index 404a76d5f81f3..a468bd414096a 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
@@ -1178,8 +1178,8 @@ qed_mcp_send_drv_version(struct qed_hwfn *p_hwfn,
 	p_drv_version = &union_data.drv_version;
 	p_drv_version->version = p_ver->version;
 
-	for (i = 0; i < MCP_DRV_VER_STR_SIZE - 1; i += 4) {
-		val = cpu_to_be32(p_ver->name[i]);
+	for (i = 0; i < (MCP_DRV_VER_STR_SIZE - 4) / sizeof(u32); i++) {
+		val = cpu_to_be32(*((u32 *)&p_ver->name[i * sizeof(u32)]));
 		*(__be32 *)&p_drv_version->name[i * sizeof(u32)] = val;
 	}