This is likely un unexercised path, but looks like a bug none the less: In the case where umv_buf::command is FALSE, the else control segment is taken and a stack variable's address is stored by INIT_UDATA, to be written later in the call to alloc_pd. The stack variable then goes out of scope, so the call to alloc_pd could corrupt the stack.
The fix uses the status local variable as temporary storage, as it is unused until after the call to alloc_pd. Signed-off-by: Fab Tillier <[email protected]> Index: kernel/hca/pd.c =================================================================== --- kernel/hca/pd.c (revision 2947) +++ kernel/hca/pd.c (working copy) @@ -80,9 +80,9 @@ mlnx_allocate_pd ( 0, sizeof(p_resp->pdn)); } else { - u32 pdn; - INIT_UDATA(&udata, NULL, &pdn, - 0, sizeof(pdn)); + // Discard PDN output, so use status as temp storage. + INIT_UDATA(&udata, NULL, &status, + 0, sizeof(status)); } } else { _______________________________________________ ofw mailing list [email protected] http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
