From: Dan Carpenter <dan.carpenter@oracle.com>
To: "James E.J. Bottomley" <JBottomley@odin.com>,
Ondrej Zary <linux@rainbow-software.org>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org, Hannes Reinecke <hare@suse.com>
Subject: [patch RESEND] atp870u: 64 bit bug in atp885_init()
Date: Wed, 09 Dec 2015 10:24:53 +0000 [thread overview]
Message-ID: <20151209102453.GE3173@mwanda> (raw)
In-Reply-To: <55B9CA3B.1030205@suse.de>
On 64 bit CPUs there is a memory corruption bug on probe(). It should
be a u32 pointer instead of an unsigned long pointer or we write past
the end of the setupdata[] array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
---
Resending because we have shuffled the code around so the patch needed
to be refreshed against linux-next. Although I do wonder why we are
still working on this code since it has never worked on 64 bit systems
so probably all the users gave up a decade ago.
diff --git a/drivers/scsi/atp870u.c b/drivers/scsi/atp870u.c
index 8b52a9d..b46997c 100644
--- a/drivers/scsi/atp870u.c
+++ b/drivers/scsi/atp870u.c
@@ -1413,11 +1413,11 @@ static void atp885_init(struct Scsi_Host *shpnt)
atpdev->global_map[m] = 0;
for (k = 0; k < 4; k++) {
atp_writew_base(atpdev, 0x3c, n++);
- ((unsigned long *)&setupdata[m][0])[k] = atp_readl_base(atpdev, 0x38);
+ ((u32 *)&setupdata[m][0])[k] = atp_readl_base(atpdev, 0x38);
}
for (k = 0; k < 4; k++) {
atp_writew_base(atpdev, 0x3c, n++);
- ((unsigned long *)&atpdev->sp[m][0])[k] = atp_readl_base(atpdev, 0x38);
+ ((u32 *)&atpdev->sp[m][0])[k] = atp_readl_base(atpdev, 0x38);
}
n += 8;
}
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: "James E.J. Bottomley" <JBottomley@odin.com>,
Ondrej Zary <linux@rainbow-software.org>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org, Hannes Reinecke <hare@suse.com>
Subject: [patch RESEND] atp870u: 64 bit bug in atp885_init()
Date: Wed, 9 Dec 2015 13:24:53 +0300 [thread overview]
Message-ID: <20151209102453.GE3173@mwanda> (raw)
In-Reply-To: <55B9CA3B.1030205@suse.de>
On 64 bit CPUs there is a memory corruption bug on probe(). It should
be a u32 pointer instead of an unsigned long pointer or we write past
the end of the setupdata[] array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
---
Resending because we have shuffled the code around so the patch needed
to be refreshed against linux-next. Although I do wonder why we are
still working on this code since it has never worked on 64 bit systems
so probably all the users gave up a decade ago.
diff --git a/drivers/scsi/atp870u.c b/drivers/scsi/atp870u.c
index 8b52a9d..b46997c 100644
--- a/drivers/scsi/atp870u.c
+++ b/drivers/scsi/atp870u.c
@@ -1413,11 +1413,11 @@ static void atp885_init(struct Scsi_Host *shpnt)
atpdev->global_map[m] = 0;
for (k = 0; k < 4; k++) {
atp_writew_base(atpdev, 0x3c, n++);
- ((unsigned long *)&setupdata[m][0])[k] = atp_readl_base(atpdev, 0x38);
+ ((u32 *)&setupdata[m][0])[k] = atp_readl_base(atpdev, 0x38);
}
for (k = 0; k < 4; k++) {
atp_writew_base(atpdev, 0x3c, n++);
- ((unsigned long *)&atpdev->sp[m][0])[k] = atp_readl_base(atpdev, 0x38);
+ ((u32 *)&atpdev->sp[m][0])[k] = atp_readl_base(atpdev, 0x38);
}
n += 8;
}
next prev parent reply other threads:[~2015-12-09 10:24 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-04 9:50 [patch] [SCSI] atp870u: 64 bit bug in probe() Dan Carpenter
2013-09-04 9:50 ` Dan Carpenter
2015-07-29 21:36 ` Dan Carpenter
2015-07-29 21:36 ` Dan Carpenter
2015-07-30 6:54 ` Hannes Reinecke
2015-07-30 6:54 ` Hannes Reinecke
2015-12-09 10:24 ` Dan Carpenter [this message]
2015-12-09 10:24 ` [patch RESEND] atp870u: 64 bit bug in atp885_init() Dan Carpenter
2015-12-09 11:53 ` One Thousand Gnomes
2015-12-09 11:53 ` One Thousand Gnomes
2015-12-09 12:07 ` Ondrej Zary
2015-12-09 12:07 ` Ondrej Zary
2015-12-09 13:45 ` Dan Carpenter
2015-12-09 13:45 ` Dan Carpenter
2015-12-09 14:14 ` One Thousand Gnomes
2015-12-09 14:14 ` One Thousand Gnomes
2015-12-09 17:48 ` Dan Carpenter
2015-12-09 17:48 ` Dan Carpenter
2015-12-09 18:11 ` Julia Lawall
2015-12-09 18:11 ` Julia Lawall
2015-12-09 18:28 ` Dan Carpenter
2015-12-09 18:28 ` Dan Carpenter
2015-12-09 19:37 ` One Thousand Gnomes
2015-12-09 19:37 ` One Thousand Gnomes
2018-02-15 23:44 ` Martin K. Petersen
2018-02-15 23:44 ` Martin K. Petersen
2018-03-02 2:11 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151209102453.GE3173@mwanda \
--to=dan.carpenter@oracle.com \
--cc=JBottomley@odin.com \
--cc=hare@suse.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linux@rainbow-software.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.