* [PATCH] Fix array indexing error in rheap grow()
@ 2007-01-27 23:41 Timur Tabi
0 siblings, 0 replies; only message in thread
From: Timur Tabi @ 2007-01-27 23:41 UTC (permalink / raw)
To: paulus, linuxppc-dev; +Cc: Timur Tabi, Ionut Nicu
The grow() function in the rheap library allocates a larger array of blocks,
copies the contents of the old blocks array to the newly allocated array and
fixes the list_head pointers after the copy. At the end, the new blocks must
be enqueued to the empty_list of the rh_info_t structure. This patch fixes
a bug where the code was indexing past the end of the array when enqueueing
blocks. The UCC ethernet driver, which uses the rheap allocator, experiences
kernel panics because of this bug.
Signed-off-by: Ionut Nicu <ionut.nicu@freescale.com>
Signed-off-by: Timur Tabi <timur@freescale.com>
---
arch/powerpc/lib/rheap.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/arch/powerpc/lib/rheap.c b/arch/powerpc/lib/rheap.c
index 57bf991..4bbda6b 100644
--- a/arch/powerpc/lib/rheap.c
+++ b/arch/powerpc/lib/rheap.c
@@ -85,7 +85,8 @@ static int grow(rh_info_t * info, int ma
info->flags &= ~RHIF_STATIC_BLOCK;
/* add all new blocks to the free list */
- for (i = 0, blk = block + info->max_blocks; i < new_blocks; i++, blk++)
+ blk = block + info->max_blocks - new_blocks;
+ for (i = 0; i < new_blocks; i++, blk++)
list_add(&blk->list, &info->empty_list);
return 0;
--
1.4.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2007-01-27 23:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-27 23:41 [PATCH] Fix array indexing error in rheap grow() Timur Tabi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).