From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
Jeff Moyer <jmoyer@redhat.com>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 07/20] firmware: fix BUG: in fw_realloc_buffer
Date: Fri, 24 Mar 2006 20:26:57 -0800 [thread overview]
Message-ID: <20060325042657.GH21260@kroah.com> (raw)
In-Reply-To: <20060325042556.GA21260@kroah.com>
[-- Attachment #1: driver-0014-firmware-fix-BUG-in-fw_realloc_buffer.patch --]
[-- Type: text/plain, Size: 1677 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
The fw_realloc_buffer routine does not handle an increase in buffer size of
more than 4k. It's not clear to me why it expects that it will only get an
extra 4k of data. The attached patch modifies fw_realloc_buffer to vmalloc
as much memory as is requested, instead of what we previously had + 4k.
I've tested this on my laptop, which would crash occaisionally on boot
without the patch. With the patch, it hasn't crashed, but I can't be
certain that this code path is exercised.
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/base/firmware_class.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
30560ba6eda308c13a361d08eb5d4eaab94ab37e
--- linux-2.6.16.orig/drivers/base/firmware_class.c
+++ linux-2.6.16/drivers/base/firmware_class.c
@@ -211,18 +211,20 @@ static int
fw_realloc_buffer(struct firmware_priv *fw_priv, int min_size)
{
u8 *new_data;
+ int new_size = fw_priv->alloc_size;
if (min_size <= fw_priv->alloc_size)
return 0;
- new_data = vmalloc(fw_priv->alloc_size + PAGE_SIZE);
+ new_size = ALIGN(min_size, PAGE_SIZE);
+ new_data = vmalloc(new_size);
if (!new_data) {
printk(KERN_ERR "%s: unable to alloc buffer\n", __FUNCTION__);
/* Make sure that we don't keep incomplete data */
fw_load_abort(fw_priv);
return -ENOMEM;
}
- fw_priv->alloc_size += PAGE_SIZE;
+ fw_priv->alloc_size = new_size;
if (fw_priv->fw->data) {
memcpy(new_data, fw_priv->fw->data, fw_priv->fw->size);
vfree(fw_priv->fw->data);
--
next prev parent reply other threads:[~2006-03-25 4:28 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20060325041355.180237000@quad.kroah.org>
2006-03-25 4:25 ` [patch 00/20] 2.6.16.1 Stable review Greg KH
2006-03-25 4:26 ` [patch 01/20] sata_mv: fix irq port status usage Greg KH
2006-03-25 4:26 ` [patch 02/20] V4L/DVB (3324): Fix Samsung tuner frequency ranges Greg KH
2006-03-25 4:26 ` [patch 03/20] Kconfig: VIDEO_DECODER must select FW_LOADER Greg KH
2006-03-25 13:23 ` Mauro Carvalho Chehab
2006-03-25 4:26 ` [patch 04/20] 2.6.xx: sata_mv: another critical fix Greg KH
2006-03-25 4:26 ` [patch 05/20] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242) Greg KH
2006-03-25 4:26 ` [patch 06/20] sysfs: sysfs_remove_dir() needs to invalidate the dentry Greg KH
2006-03-25 4:26 ` Greg KH [this message]
2006-03-25 4:27 ` [patch 08/20] get_cpu_sysdev() signedness fix Greg KH
2006-03-25 4:27 ` [patch 09/20] sysfs: fix a kobject leak in sysfs_add_link on the error path Greg KH
2006-03-25 4:27 ` [patch 10/20] XFS writeout fix Greg KH
2006-03-25 4:27 ` [patch 11/20] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated Greg KH
2006-03-25 4:27 ` [patch 12/20] i810fb_cursor(): use GFP_ATOMIC Greg KH
2006-03-25 4:27 ` [patch 13/20] v9fs: assign dentry ops to negative dentries Greg KH
2006-03-25 4:27 ` [patch 14/20] dm: bio split bvec fix Greg KH
2006-03-25 4:27 ` [patch 15/20] rtc.h broke strace(1) builds Greg KH
2006-03-25 4:27 ` [patch 16/20] proc: fix duplicate line in /proc/devices Greg KH
2006-03-25 4:27 ` [patch 17/20] fix scheduler deadlock Greg KH
2006-03-25 4:27 ` [patch 18/20] DM: Fix bug: BIO_RW_BARRIER requests to md/raid1 hang Greg KH
2006-03-25 4:28 ` [patch 19/20] cciss: fix use-after-free in cciss_init_one Greg KH
2006-03-25 4:28 ` [patch 20/20] DMI: fix DMI onboard device discovery Greg KH
2006-03-25 6:48 ` [patch 21/20] Fix speedstep-smi assembly bug in speedstep_smi_ownership Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060325042657.GH21260@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=jmoyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox