projects
/
GitHub
/
exynos8895
/
android_kernel_samsung_universal8895.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
9e71f9c
)
[PATCH] cciss: fix use-after-free in cciss_init_one
author
Patrick McHardy
<kaber@trash.net>
Thu, 23 Mar 2006 10:59:24 +0000
(
02:59
-0800)
committer
Linus Torvalds
<torvalds@g5.osdl.org>
Thu, 23 Mar 2006 15:38:03 +0000
(07:38 -0800)
free_hba() sets hba[i] to NULL, the dereference afterwards results in this
crash. Setting busy_initializing to 0 actually looks unnecessary, but I'm
not entirely sure, which is why I left it in.
cciss: controller appears to be disabled
Unable to handle kernel NULL pointer dereference at virtual address
00000370
printing eip:
c1114d53
*pde =
00000000
Oops: 0002 [#1]
Modules linked in:
CPU: 0
EIP: 0060:[<
c1114d53
>] Not tainted VLI
EFLAGS:
00010286
(2.6.16 #1)
EIP is at cciss_init_one+0x4e9/0x4fe
eax:
00000000
ebx:
c132cd60
ecx:
c13154e4
edx:
c27d3c00
esi:
00000000
edi:
c2748800
ebp:
c2536ee4
esp:
c2536eb8
ds: 007b es: 007b ss: 0068
Process swapper (pid: 1, threadinfo=
c2536000
task=
c2535a30
)
Stack: <0>
00000000
00000000
00000000
c13fdba0
c2536ee8
c13159c0
c2536f38
f7c74740
c132cd60
c132cd60
ffffffed
c2536ef0
c10c1d51
c2748800
c2536f04
c10c1d85
c132cd60
c2748800
c132cd8c
c2536f14
c10c1db8
c2748848
00000000
c2536f28
Call Trace:
[<
c10031d5
>] show_stack_log_lvl+0xa8/0xb0
[<
c1003305
>] show_registers+0x102/0x16a
[<
c10034a2
>] die+0xc1/0x13c
[<
c1288160
>] do_page_fault+0x38a/0x525
[<
c1002e9b
>] error_code+0x4f/0x54
[<
c10c1d51
>] pci_call_probe+0xd/0x10
[<
c10c1d85
>] __pci_device_probe+0x31/0x43
[<
c10c1db8
>] pci_device_probe+0x21/0x34
[<
c110a654
>] driver_probe_device+0x44/0x99
[<
c110a73f
>] __driver_attach+0x39/0x5d
[<
c1109e1c
>] bus_for_each_dev+0x35/0x5a
[<
c110a777
>] driver_attach+0x14/0x16
[<
c110a220
>] bus_add_driver+0x5c/0x8f
[<
c110ab22
>] driver_register+0x73/0x78
[<
c10c1f6d
>] __pci_register_driver+0x5f/0x71
[<
c13bf935
>] cciss_init+0x1a/0x1c
[<
c13aa718
>] do_initcalls+0x4c/0x96
[<
c13aa77e
>] do_basic_setup+0x1c/0x1e
[<
c10002b1
>] init+0x35/0x118
[<
c1000cf5
>] kernel_thread_helper+0x5/0xb
Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de
40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 <c7> 80
70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3
<0>Kernel panic - not syncing: Attempted to kill init!
Signed-off-by: Patrick McHardy <kaber@trash.net>
Cc: <mike.miller@hp.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/block/cciss.c
patch
|
blob
|
blame
|
history
diff --git
a/drivers/block/cciss.c
b/drivers/block/cciss.c
index cf39cf9aac257b44fa98deaf4292a81c81eade6e..e29b8926f80ed08e1c618e236c8186720f0f1ea9 100644
(file)
--- a/
drivers/block/cciss.c
+++ b/
drivers/block/cciss.c
@@
-3268,8
+3268,8
@@
clean2:
unregister_blkdev(hba[i]->major, hba[i]->devname);
clean1:
release_io_mem(hba[i]);
- free_hba(i);
hba[i]->busy_initializing = 0;
+ free_hba(i);
return(-1);
}