From patchwork Fri Aug 7 14:54:19 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: roel kluin X-Patchwork-Id: 30936 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id EE0E7B708B for ; Sat, 8 Aug 2009 00:50:57 +1000 (EST) Received: by ozlabs.org (Postfix) id E292EDDD1B; Sat, 8 Aug 2009 00:50:57 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 66984DDD0B for ; Sat, 8 Aug 2009 00:50:57 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757335AbZHGOuu (ORCPT ); Fri, 7 Aug 2009 10:50:50 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756665AbZHGOuu (ORCPT ); Fri, 7 Aug 2009 10:50:50 -0400 Received: from mail-ew0-f214.google.com ([209.85.219.214]:33687 "EHLO mail-ew0-f214.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752516AbZHGOut (ORCPT ); Fri, 7 Aug 2009 10:50:49 -0400 Received: by ewy10 with SMTP id 10so1588910ewy.37 for ; Fri, 07 Aug 2009 07:50:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=AQss1HYaKdtYrrp6dOOWJzR1DmCSZ71Y+uAGy7jbtGY=; b=RR48iOwYg5kO1s34Ii4Tg8bafFp4kNmKPnYH8orK2ZXrGoczmV8q3WqN7FzYJX1r1n FtLLgvV/+WfoaGuAD40cKcN7Slyl1FcFFtwVRl9XtNxx+xIgPkbKrjmyfiUhrslnlmOO wXv+vMQca42XVqb1B8CnvWChvwgBJN6gZyzBk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=mWSP1tVbmWEI8grsBWr/xa4P+7A9UoMBsJYKorOvoUQ2cXhfRfDtRogpkIAU540/6D bTBp93oCEiwe9leqmiYkXuvtRuBPfSJGVgTOv7QCWm47hX/nzFslQxiqkDfP6aRyNnLi fegg4BphadLFOwTSN0DY1tE4PI77OVbucNb8Y= Received: by 10.210.137.4 with SMTP id k4mr1033831ebd.89.1249656645872; Fri, 07 Aug 2009 07:50:45 -0700 (PDT) Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id 28sm3126553eye.54.2009.08.07.07.50.43 (version=SSLv3 cipher=RC4-MD5); Fri, 07 Aug 2009 07:50:44 -0700 (PDT) Message-ID: <4A7C401B.7090301@gmail.com> Date: Fri, 07 Aug 2009 16:54:19 +0200 From: Roel Kluin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: "David S. Miller" , khc@pm.waw.pl, netdev , Andrew Morton Subject: Re: [PATCH] lmc: Read outside array bounds References: <4A6B84A9.7020506@gmail.com> <20090728144307.c189810b.akpm@linux-foundation.org> In-Reply-To: <20090728144307.c189810b.akpm@linux-foundation.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If dev_alloc_skb() fails on the first iteration of the allocation loop, and we break out of the loop, then we end up writing before the start of the array. Signed-off-by: Roel Kluin --- > First of all, if we allocated at least one buffer we should > mark the last one in the code right after this loop. > > Second of all, we should purge the TX skbs in the next > loop even if we could not allocate even one RX buffer. > > The thing to do is probably to guard the set of "[i-1]" RX ring > accesses with a "if (i != 0)" check. Forgot a bit about this one, but I hope this is what you meant? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/wan/lmc/lmc_main.c b/drivers/net/wan/lmc/lmc_main.c index 45b1822..b26fabb 100644 --- a/drivers/net/wan/lmc/lmc_main.c +++ b/drivers/net/wan/lmc/lmc_main.c @@ -1838,7 +1838,7 @@ void lmc_mii_writereg (lmc_softc_t * const sc, unsigned devaddr, unsigned regno, static void lmc_softreset (lmc_softc_t * const sc) /*fold00*/ { - int i; + int i, j; lmc_trace(sc->lmc_device, "lmc_softreset in"); @@ -1897,24 +1897,27 @@ static void lmc_softreset (lmc_softc_t * const sc) /*fold00*/ /* * Sets end of ring */ - sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */ - sc->lmc_rxring[i - 1].buffer2 = virt_to_bus (&sc->lmc_rxring[0]); /* Point back to the start */ - LMC_CSR_WRITE (sc, csr_rxlist, virt_to_bus (sc->lmc_rxring)); /* write base address */ + if (i > 0) { + sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */ + sc->lmc_rxring[i - 1].buffer2 = virt_to_bus(&sc->lmc_rxring[0]); /* Point back to the start */ + LMC_CSR_WRITE(sc, csr_rxlist, virt_to_bus(sc->lmc_rxring)); /* write base address */ + } /* Initialize the transmit rings and buffers */ - for (i = 0; i < LMC_TXDESCS; i++) - { - if (sc->lmc_txq[i] != NULL){ /* have buffer */ - dev_kfree_skb(sc->lmc_txq[i]); /* free it */ + for (j = 0; j < i; j++) { + if (sc->lmc_txq[j] != NULL) { /* have buffer */ + dev_kfree_skb(sc->lmc_txq[j]); /* free it */ sc->lmc_device->stats.tx_dropped++; /* We just dropped a packet */ } - sc->lmc_txq[i] = NULL; - sc->lmc_txring[i].status = 0x00000000; - sc->lmc_txring[i].buffer2 = virt_to_bus (&sc->lmc_txring[i + 1]); + sc->lmc_txq[j] = NULL; + sc->lmc_txring[j].status = 0x00000000; + sc->lmc_txring[j].buffer2 = virt_to_bus(&sc->lmc_txring[j + 1]); + } + if (j > 0) { + sc->lmc_txring[j - 1].buffer2 = virt_to_bus(&sc->lmc_txring[0]); + LMC_CSR_WRITE(sc, csr_txlist, virt_to_bus(sc->lmc_txring)); } - sc->lmc_txring[i - 1].buffer2 = virt_to_bus (&sc->lmc_txring[0]); - LMC_CSR_WRITE (sc, csr_txlist, virt_to_bus (sc->lmc_txring)); lmc_trace(sc->lmc_device, "lmc_softreset out"); }