[PATCH 12/22] PCI: correctly allocate return buffers for osc calls

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
	linux-pci@atrey.karlin.mff.cuni.cz
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
	Kristen Accardi <kristen.c.accardi@intel.com>,
	greg@kroah.com, Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH 12/22] PCI: correctly allocate return buffers for osc calls
Date: Wed, 17 May 2006 00:00:12 -0700	[thread overview]
Message-ID: <20060517221407.149238000@sous-sol.org> (raw)
In-Reply-To: 20060517221312.227391000@sous-sol.org

[-- Attachment #1: pci-correctly-allocate-return-buffers-for-osc-calls.patch --]
[-- Type: text/plain, Size: 4281 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

The OSC set and query functions do not allocate enough space for return values,
and set the output buffer length to a false, too large value.  This causes the 
acpi-ca code to assume that the output buffer is larger than it actually is, 
and overwrite memory when copying acpi return buffers into this caller provided
buffer.  In some cases this can cause kernel oops if the memory that is 
overwritten is a pointer.  This patch will change these calls to use a 
dynamically allocated output buffer, thus allowing the acpi-ca code to decide 
how much space is needed.

Signed-off-by: Kristen Carlson Accardi <kristen.c.accardi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

---
 drivers/pci/pci-acpi.c |   60 ++++++++++++++++++++++++++++---------------------
 1 file changed, 35 insertions(+), 25 deletions(-)

--- linux-2.6.16.16.orig/drivers/pci/pci-acpi.c
+++ linux-2.6.16.16/drivers/pci/pci-acpi.c
@@ -33,13 +33,10 @@ acpi_query_osc (
 	acpi_status		status;
 	struct acpi_object_list	input;
 	union acpi_object 	in_params[4];
-	struct acpi_buffer	output;
-	union acpi_object 	out_obj;	
+	struct acpi_buffer	output = {ACPI_ALLOCATE_BUFFER, NULL};
+	union acpi_object 	*out_obj;
 	u32			osc_dw0;
 
-	/* Setting up output buffer */
-	output.length = sizeof(out_obj) + 3*sizeof(u32);  
-	output.pointer = &out_obj;
 	
 	/* Setting up input parameters */
 	input.count = 4;
@@ -61,12 +58,15 @@ acpi_query_osc (
 			"Evaluate _OSC Set fails. Status = 0x%04x\n", status);
 		return status;
 	}
-	if (out_obj.type != ACPI_TYPE_BUFFER) {
+	out_obj = output.pointer;
+
+	if (out_obj->type != ACPI_TYPE_BUFFER) {
 		printk(KERN_DEBUG  
 			"Evaluate _OSC returns wrong type\n");
-		return AE_TYPE;
+		status = AE_TYPE;
+		goto query_osc_out;
 	}
-	osc_dw0 = *((u32 *) out_obj.buffer.pointer);
+	osc_dw0 = *((u32 *) out_obj->buffer.pointer);
 	if (osc_dw0) {
 		if (osc_dw0 & OSC_REQUEST_ERROR)
 			printk(KERN_DEBUG "_OSC request fails\n"); 
@@ -76,15 +76,21 @@ acpi_query_osc (
 			printk(KERN_DEBUG "_OSC invalid revision\n"); 
 		if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) {
 			/* Update Global Control Set */
-			global_ctrlsets = *((u32 *)(out_obj.buffer.pointer+8));
-			return AE_OK;
+			global_ctrlsets = *((u32 *)(out_obj->buffer.pointer+8));
+			status = AE_OK;
+			goto query_osc_out;
 		}
-		return AE_ERROR;
+		status = AE_ERROR;
+		goto query_osc_out;
 	}
 
 	/* Update Global Control Set */
-	global_ctrlsets = *((u32 *)(out_obj.buffer.pointer + 8));
-	return AE_OK;
+	global_ctrlsets = *((u32 *)(out_obj->buffer.pointer + 8));
+	status = AE_OK;
+
+query_osc_out:
+	kfree(output.pointer);
+	return status;
 }
 
 
@@ -96,14 +102,10 @@ acpi_run_osc (
 	acpi_status		status;
 	struct acpi_object_list	input;
 	union acpi_object 	in_params[4];
-	struct acpi_buffer	output;
-	union acpi_object 	out_obj;	
+	struct acpi_buffer	output = {ACPI_ALLOCATE_BUFFER, NULL};
+	union acpi_object 	*out_obj;
 	u32			osc_dw0;
 
-	/* Setting up output buffer */
-	output.length = sizeof(out_obj) + 3*sizeof(u32);  
-	output.pointer = &out_obj;
-	
 	/* Setting up input parameters */
 	input.count = 4;
 	input.pointer = in_params;
@@ -124,12 +126,14 @@ acpi_run_osc (
 			"Evaluate _OSC Set fails. Status = 0x%04x\n", status);
 		return status;
 	}
-	if (out_obj.type != ACPI_TYPE_BUFFER) {
+	out_obj = output.pointer;
+	if (out_obj->type != ACPI_TYPE_BUFFER) {
 		printk(KERN_DEBUG  
 			"Evaluate _OSC returns wrong type\n");
-		return AE_TYPE;
+		status = AE_TYPE;
+		goto run_osc_out;
 	}
-	osc_dw0 = *((u32 *) out_obj.buffer.pointer);
+	osc_dw0 = *((u32 *) out_obj->buffer.pointer);
 	if (osc_dw0) {
 		if (osc_dw0 & OSC_REQUEST_ERROR)
 			printk(KERN_DEBUG "_OSC request fails\n"); 
@@ -139,11 +143,17 @@ acpi_run_osc (
 			printk(KERN_DEBUG "_OSC invalid revision\n"); 
 		if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) {
 			printk(KERN_DEBUG "_OSC FW not grant req. control\n");
-			return AE_SUPPORT;
+			status = AE_SUPPORT;
+			goto run_osc_out;
 		}
-		return AE_ERROR;
+		status = AE_ERROR;
+		goto run_osc_out;
 	}
-	return AE_OK;
+	status = AE_OK;
+
+run_osc_out:
+	kfree(output.pointer);
+	return status;
 }
 
 /**

--

next prev parent reply	other threads:[~2006-05-17 22:16 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-17 22:13 [PATCH 00/22] -stable review Chris Wright
2006-05-17  7:00 ` [PATCH 01/22] md: Avoid oops when attempting to fix read errors on raid10 Chris Wright
2006-05-17  7:00 ` [PATCH 02/22] [PATCH] via-rhine: zero pad short packets on Rhine I ethernet cards Chris Wright
2006-05-17  7:00 ` [PATCH 03/22] USB: ub oops in block_uevent Chris Wright
2006-05-17  7:00 ` [PATCH 04/22] [PATCH] fs/locks.c: Fix sys_flock() race Chris Wright
2006-05-17  7:00 ` [PATCH 05/22] [PATCH] smbfs: Fix slab corruption in samba error path Chris Wright
2006-05-17  7:00 ` [PATCH 06/22] [PATCH] fs/compat.c: fix if (a |= b ) typo Chris Wright
2006-05-17  7:00 ` [PATCH 07/22] [PATCH] smbus unhiding kills thermal management Chris Wright
2006-05-18 20:53   ` Jean Delvare
2006-05-18 21:11     ` [stable] " Greg KH
2006-05-17  7:00 ` [PATCH 08/22] [PATCH] scx200_acb: Fix resource name use after free Chris Wright
2006-05-17  7:00 ` [PATCH 09/22] [PATCH] Netfilter: do_add_counters race, possible oops or info leak (CVE-2006-0039) Chris Wright
2006-05-17  7:00 ` [PATCH 10/22] [PATCH] TG3: ethtool always report port is TP Chris Wright
2006-05-17  7:00 ` [PATCH 11/22] [PATCH] selinux: check for failed kmalloc in security_sid_to_context() Chris Wright
2006-05-17  7:00 ` Chris Wright [this message]
2006-05-17  7:00 ` [PATCH 13/22] [PATCH] [BLOCK] limit request_fn recursion Chris Wright
2006-05-17  7:00 ` [PATCH 14/22] [PATCH] [Cardman 40x0] Fix udev device creation Chris Wright
2006-05-17 22:42   ` Harald Welte
2006-05-17  7:00 ` [PATCH 15/22] [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges Chris Wright
2006-05-17  7:00 ` [PATCH 16/22] [PATCH] VIA quirk fixup, additional PCI IDs Chris Wright
2006-05-17  7:00 ` [PATCH 17/22] [PATCH] i386/x86_64: Force pci=noacpi on HP XW9300 Chris Wright
2006-05-17 22:16   ` Andi Kleen
2006-05-17 22:25     ` Greg KH
2006-05-17 22:36     ` Chris Wright
2006-05-17  7:00 ` [PATCH 18/22] [PATCH] Remove cond_resched in gather_stats() Chris Wright
2006-05-17  7:00 ` [PATCH 19/22] [PATCH] add migratepage address space op to shmem Chris Wright
2006-05-17  7:00 ` [PATCH 20/22] [PATCH] page migration: Fix fallback behavior for dirty pages Chris Wright
2006-05-17  7:00 ` [PATCH 21/22] [PATCH] Fix ptrace_attach()/ptrace_traceme()/de_thread() race Chris Wright
2006-05-17  7:00 ` [PATCH 22/22] [PATCH] ptrace_attach: fix possible deadlock schenario with irqs Chris Wright
2006-05-17 22:23 ` [PATCH 00/22] -stable review Linus Torvalds
2006-05-17 22:36   ` Chris Wright
2006-05-17 22:41     ` [stable] " Greg KH
2006-05-18  9:15       ` Michael Tokarev
2006-05-18 17:40         ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060517221407.149238000@sous-sol.org \
    --to=chrisw@sous-sol.org \
    --cc=akpm@osdl.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=greg@kroah.com \
    --cc=gregkh@suse.de \
    --cc=jmforbes@linuxtx.org \
    --cc=kristen.c.accardi@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pci@atrey.karlin.mff.cuni.cz \
    --cc=rdunlap@xenotime.net \
    --cc=stable@kernel.org \
    --cc=torvalds@osdl.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox