projects
/
GitHub
/
LineageOS
/
android_kernel_motorola_exynos9610.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
8c37ac3
)
block/swim: Fix array bounds check
author
Finn Thain
<fthain@telegraphics.com.au>
Thu, 12 Apr 2018 00:50:14 +0000
(20:50 -0400)
committer
Greg Kroah-Hartman
<gregkh@linuxfoundation.org>
Sun, 29 Apr 2018 09:33:17 +0000
(11:33 +0200)
commit
7ae6a2b6cc058005ee3d0d2b9ce27688e51afa4b
upstream.
In the floppy_find() function in swim.c is a call to
get_disk(swd->unit[drive].disk). The actual parameter to this call
can be a NULL pointer when drive == swd->floppy_count. This causes
an oops in get_disk().
Data read fault at 0x00000198 in Super Data (pc=0x1be5b6)
BAD KERNEL BUSERR
Oops:
00000000
Modules linked in: swim_mod ipv6 mac8390
PC: [<
001be5b6
>] get_disk+0xc/0x76
SR: 2004 SP:
9a078bc1
a2:
0213ed90
d0:
00000000
d1:
00000000
d2:
00000000
d3:
000000ff
d4:
00000002
d5:
02983590
a0:
02332e00
a1:
022dfd64
Process dd (pid: 285, task=
020ab25b
)
Frame format=B ssw=074d isc=4a88 isb=6732 daddr=
00000198
dobuf=
00000000
baddr=
001be5bc
dibuf=
bfffffff
ver=f
Stack from
022dfca4
:
00000000
0203fc00
0213ed90
022dfcc0
02982936
00000000
00200000
022dfd08
0020f85a
00200000
022dfd64
02332e00
004040fc
00000014
001be77e
022dfd64
00334e4a
001be3f8
0800001d
022dfd64
01c04b60
01c04b70
022aba80
029828f8
02332e00
022dfd2c
001be7ac
0203fc00
00200000
022dfd64
02103a00
01c04b60
01c04b60
0200e400
022dfd68
000e191a
00200000
022dfd64
02103a00
0800001d
00000000
00000003
000b89de
00500000
02103a00
01c04b60
02103a08
01c04c2e
Call Trace: [<
02982936
>] floppy_find+0x3e/0x4a [swim_mod]
[<
00200000
>] uart_remove_one_port+0x1a2/0x260
[<
0020f85a
>] kobj_lookup+0xde/0x132
[<
00200000
>] uart_remove_one_port+0x1a2/0x260
[<
001be77e
>] get_gendisk+0x0/0x130
[<
00334e4a
>] mutex_lock+0x0/0x2e
[<
001be3f8
>] disk_block_events+0x0/0x6c
[<
029828f8
>] floppy_find+0x0/0x4a [swim_mod]
[<
001be7ac
>] get_gendisk+0x2e/0x130
[<
00200000
>] uart_remove_one_port+0x1a2/0x260
[<
000e191a
>] __blkdev_get+0x32/0x45a
[<
00200000
>] uart_remove_one_port+0x1a2/0x260
[<
000b89de
>] complete_walk+0x0/0x8a
[<
000e1e22
>] blkdev_get+0xe0/0x29a
[<
000e1fdc
>] blkdev_open+0x0/0xb0
[<
000b89de
>] complete_walk+0x0/0x8a
[<
000e1fdc
>] blkdev_open+0x0/0xb0
[<
000e01cc
>] bd_acquire+0x74/0x8a
[<
000e205c
>] blkdev_open+0x80/0xb0
[<
000e1fdc
>] blkdev_open+0x0/0xb0
[<
000abf24
>] do_dentry_open+0x1a4/0x322
[<
00020000
>] __do_proc_douintvec+0x22/0x27e
[<
000b89de
>] complete_walk+0x0/0x8a
[<
000baa62
>] link_path_walk+0x0/0x48e
[<
000ba3f8
>] inode_permission+0x20/0x54
[<
000ac0e4
>] vfs_open+0x42/0x78
[<
000bc372
>] path_openat+0x2b2/0xeaa
[<
000bc0c0
>] path_openat+0x0/0xeaa
[<
0004463e
>] __irq_wake_thread+0x0/0x4e
[<
0003a45a
>] task_tick_fair+0x18/0xc8
[<
000bd00a
>] do_filp_open+0xa0/0xea
[<
000abae0
>] do_sys_open+0x11a/0x1ee
[<
00020000
>] __do_proc_douintvec+0x22/0x27e
[<
000abbf4
>] SyS_open+0x1e/0x22
[<
00020000
>] __do_proc_douintvec+0x22/0x27e
[<
00002b40
>] syscall+0x8/0xc
[<
00020000
>] __do_proc_douintvec+0x22/0x27e
[<
0000c00b
>] dyadic+0x1/0x28
Code: 4e5e 4e75 4e56 fffc 2f0b 2f02 266e 0008 <206b> 0198 4a88 6732 2428 002c 661e 486b 0058 4eb9 0032 0b96 588f 4a88 672c 2008
Disabling lock debugging due to kernel taint
Fix the array index bounds check to avoid this.
Cc: Laurent Vivier <lvivier@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: stable@vger.kernel.org # v4.14+
Fixes:
8852ecd97488
("[PATCH] m68k: mac - Add SWIM floppy support")
Tested-by: Stan Johnson <userm57@yahoo.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Acked-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/block/swim.c
patch
|
blob
|
blame
|
history
diff --git
a/drivers/block/swim.c
b/drivers/block/swim.c
index b82aaa49df47a18169a10d3946191954ca064091..763931aebc159935b9ac0beefcb8ebf803099caf 100644
(file)
--- a/
drivers/block/swim.c
+++ b/
drivers/block/swim.c
@@
-790,7
+790,7
@@
static struct kobject *floppy_find(dev_t dev, int *part, void *data)
struct swim_priv *swd = data;
int drive = (*part & 3);
- if (drive > swd->floppy_count)
+ if (drive >
=
swd->floppy_count)
return NULL;
*part = 0;