From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, wwang <wei_wang@realsil.com.cn>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [ 17/48] staging:rts_pstor:Fix possible panic by NULL pointer dereference
Date: Sun, 01 Jul 2012 18:20:23 +0100 [thread overview]
Message-ID: <20120701172009.084561579@decadent.org.uk> (raw)
In-Reply-To: <20120701172006.535271340@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: wwang <wei_wang@realsil.com.cn>
commit 0d05568ac79bfc595f1eadc3e0fd7a20a45f7b69 upstream.
rtsx_transport.c (rtsx_transfer_sglist_adma_partial):
pointer struct scatterlist *sg, which is mapped in dma_map_sg,
is used as an iterator in later transfer operation. It is corrupted and
passed to dma_unmap_sg, thus causing fatal unmap of some erroneous address.
Fix it by duplicating *sg_ptr for iterating.
Signed-off-by: wwang <wei_wang@realsil.com.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/rts_pstor/rtsx_transport.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/rts_pstor/rtsx_transport.c b/drivers/staging/rts_pstor/rtsx_transport.c
index 4e3d2c1..9b2e5c9 100644
--- a/drivers/staging/rts_pstor/rtsx_transport.c
+++ b/drivers/staging/rts_pstor/rtsx_transport.c
@@ -335,6 +335,7 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card,
int sg_cnt, i, resid;
int err = 0;
long timeleft;
+ struct scatterlist *sg_ptr;
u32 val = TRIG_DMA;
if ((sg == NULL) || (num_sg <= 0) || !offset || !index)
@@ -371,7 +372,7 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card,
sg_cnt = dma_map_sg(&(rtsx->pci->dev), sg, num_sg, dma_dir);
resid = size;
-
+ sg_ptr = sg;
chip->sgi = 0;
/* Usually the next entry will be @sg@ + 1, but if this sg element
* is part of a chained scatterlist, it could jump to the start of
@@ -379,14 +380,14 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card,
* the proper sg
*/
for (i = 0; i < *index; i++)
- sg = sg_next(sg);
+ sg_ptr = sg_next(sg_ptr);
for (i = *index; i < sg_cnt; i++) {
dma_addr_t addr;
unsigned int len;
u8 option;
- addr = sg_dma_address(sg);
- len = sg_dma_len(sg);
+ addr = sg_dma_address(sg_ptr);
+ len = sg_dma_len(sg_ptr);
RTSX_DEBUGP("DMA addr: 0x%x, Len: 0x%x\n",
(unsigned int)addr, len);
@@ -415,7 +416,7 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card,
if (!resid)
break;
- sg = sg_next(sg);
+ sg_ptr = sg_next(sg_ptr);
}
RTSX_DEBUGP("SG table count = %d\n", chip->sgi);
next prev parent reply other threads:[~2012-07-01 18:27 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-01 17:20 [ 00/48] 3.2.22-stable review Ben Hutchings
2012-07-01 17:20 ` [ 01/48] staging:iio:ad7606: Re-add missing scale attribute Ben Hutchings
2012-07-01 17:20 ` [ 02/48] Tools: hv: verify origin of netlink connector message Ben Hutchings
2012-07-01 17:20 ` [ 03/48] edac: avoid mce decoding crash after edac driver unloaded Ben Hutchings
2012-07-01 17:20 ` [ 04/48] hwrng: atmel-rng - fix data valid check Ben Hutchings
2012-07-01 17:20 ` [ 05/48] staging: r8712u: Add new USB IDs Ben Hutchings
2012-07-01 17:20 ` [ 06/48] hwmon: (applesmc) Limit key length in warning messages Ben Hutchings
2012-07-01 17:20 ` [ 07/48] mm: fix slab->page _count corruption when using slub Ben Hutchings
2012-07-02 23:46 ` Herton Ronaldo Krzesinski
2012-07-02 23:56 ` Herton Ronaldo Krzesinski
2012-07-03 1:17 ` Herton Ronaldo Krzesinski
2012-07-03 20:19 ` Pravin Shelar
2012-07-04 4:36 ` Ben Hutchings
2012-07-01 17:20 ` [ 08/48] mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition Ben Hutchings
2012-07-01 17:20 ` [ 09/48] thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE Ben Hutchings
2012-07-01 17:20 ` [ 10/48] nilfs2: ensure proper cache clearing for gc-inodes Ben Hutchings
2012-07-01 17:20 ` [ 11/48] mm: correctly synchronize rss-counters at exit/exec Ben Hutchings
2012-07-01 19:02 ` Hugh Dickins
2012-07-02 2:01 ` Ben Hutchings
2012-07-02 16:46 ` Oleg Nesterov
2012-07-04 4:31 ` Ben Hutchings
2012-07-01 17:20 ` [ 12/48] drm/i915: Finish any pending operations on the framebuffer before disabling Ben Hutchings
2012-07-01 17:20 ` [ 13/48] drm/i915: Remove use of the autoreported ringbuffer HEAD position Ben Hutchings
2012-07-01 17:20 ` [ 14/48] e1000e: Disable ASPM L1 on 82574 Ben Hutchings
2012-07-01 17:20 ` [ 15/48] e1000e: Remove special case for 82573/82574 ASPM L1 disablement Ben Hutchings
2012-07-01 22:59 ` Jonathan Nieder
2012-07-02 7:21 ` Chris Boot
2012-07-01 17:20 ` [ 16/48] drm/i915: Do the fallback non-IRQ wait in ring throttle, too Ben Hutchings
2012-07-01 17:20 ` Ben Hutchings [this message]
2012-07-01 17:20 ` [ 18/48] [media] gspca-core: Fix buffers staying in queued state after a stream_off Ben Hutchings
2012-07-01 17:20 ` [ 19/48] [media] smsusb: add autodetection support for USB ID 2040:f5a0 Ben Hutchings
2012-07-01 17:20 ` [ 20/48] drm/edid: dont return stack garbage from supports_rb Ben Hutchings
2012-07-01 17:20 ` [ 21/48] drm/nouveau/fbcon: using nv_two_heads is not a good idea Ben Hutchings
2012-07-01 17:20 ` [ 22/48] dm thin: reinstate missing mempool_free in cell_release_singleton Ben Hutchings
2012-07-01 17:20 ` [ 23/48] ath9k: Fix a WARNING on suspend/resume with IBSS Ben Hutchings
2012-07-01 17:20 ` [ 24/48] cfg80211: fix potential deadlock in regulatory Ben Hutchings
2012-07-01 17:20 ` [ 25/48] ath9k: Fix softlockup in AR9485 Ben Hutchings
2012-07-01 17:20 ` [ 26/48] can: c_can: precedence error in c_can_chip_config() Ben Hutchings
2012-07-01 17:20 ` [ 27/48] ath9k: fix a tx rate duration calculation bug Ben Hutchings
2012-07-01 17:20 ` [ 28/48] batman-adv: fix skb->data assignment Ben Hutchings
2012-07-01 17:20 ` [ 29/48] ARM: SAMSUNG: Should check for IS_ERR(clk) instead of NULL Ben Hutchings
2012-07-01 17:20 ` [ 30/48] ath9k_hw: avoid possible infinite loop in ar9003_get_pll_sqsum_dvc Ben Hutchings
2012-07-01 17:20 ` [ 31/48] iwlwifi: remove log_event debugfs file debugging is disabled Ben Hutchings
2012-07-01 17:20 ` [ 32/48] ARM: SAMSUNG: Fix for S3C2412 EBI memory mapping Ben Hutchings
2012-07-01 17:20 ` [ 33/48] USB: option: add id for Cellient MEN-200 Ben Hutchings
2012-07-01 17:20 ` [ 34/48] oprofile: perf: use NR_CPUS instead or nr_cpumask_bits for static array Ben Hutchings
2012-07-01 17:20 ` [ 35/48] drm/i915: Refactor the deferred PM_IIR handling into a single function Ben Hutchings
2012-07-01 17:20 ` [ 36/48] drm/i915: rip out the PM_IIR WARN Ben Hutchings
2012-07-01 17:20 ` [ 37/48] drm/i915: Fix eDP blank screen after S3 resume on HP desktops Ben Hutchings
2012-07-01 17:20 ` [ 38/48] SCSI & usb-storage: add try_rc_10_first flag Ben Hutchings
2012-07-02 7:10 ` Hans de Goede
2012-07-02 18:52 ` Linus Torvalds
2012-07-02 20:39 ` James Bottomley
2012-07-02 22:23 ` Linus Torvalds
2012-07-03 0:41 ` Matthew Wilcox
2012-07-03 6:18 ` James Bottomley
2012-07-03 15:49 ` Alan Stern
2012-07-03 17:32 ` Matthew Wilcox
2012-07-03 19:50 ` Alan Stern
2012-07-03 20:07 ` James Bottomley
2012-07-03 20:25 ` Alan Stern
2012-07-03 20:35 ` Matthew Wilcox
2012-07-05 21:40 ` Alan Stern
2012-07-06 3:05 ` Matthew Wilcox
2012-07-06 14:00 ` Alan Stern
2012-07-04 4:39 ` Ben Hutchings
2012-07-01 17:20 ` [ 39/48] PM / Sleep: Prevent waiting forever on asynchronous suspend after abort Ben Hutchings
2012-07-01 17:20 ` [ 40/48] x86, cpufeature: Rename X86_FEATURE_DTS to X86_FEATURE_DTHERM Ben Hutchings
2012-07-01 17:20 ` [ 41/48] stable: Allow merging of backports for serious user-visible performance issues Ben Hutchings
2012-07-01 17:20 ` [ 42/48] ALSA: hda - Add Realtek ALC280 codec support Ben Hutchings
2012-07-01 17:20 ` [ 43/48] USB: option: Add USB ID for Novatel Ovation MC551 Ben Hutchings
2012-07-01 17:20 ` [ 44/48] USB: CP210x Add 10 Device IDs Ben Hutchings
2012-07-01 17:20 ` [ 45/48] xen/netfront: teardown the device before unregistering it Ben Hutchings
2012-07-01 17:20 ` [ 46/48] can: flexcan: use be32_to_cpup to handle the value of dt entry Ben Hutchings
2012-07-01 17:20 ` [ 47/48] acpi_pad: fix power_saving thread deadlock Ben Hutchings
2012-07-01 17:20 ` [ 48/48] batman-adv: only drop packets of known wifi clients Ben Hutchings
2012-07-01 19:11 ` [ 00/48] 3.2.22-stable review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120701172009.084561579@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=wei_wang@realsil.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox