From: David Miller <davem@davemloft.net>
To: stable@vger.kernel.org
Subject: Re: [PATCH] Sparc
Date: Fri, 13 Apr 2018 13:38:41 -0400 (EDT) [thread overview]
Message-ID: <20180413.133841.1254326631851052115.davem@davemloft.net> (raw)
In-Reply-To: <20180413.132345.1529667192010956356.davem@davemloft.net>
[-- Attachment #1: Type: Text/Plain, Size: 191 bytes --]
From: David Miller <davem@davemloft.net>
Date: Fri, 13 Apr 2018 13:23:45 -0400 (EDT)
>
> Please queue up the attached sparc bug fix for 4.16 -stable.
Sorry, this is the correct mbox file.
[-- Attachment #2: sparc_416.mbox --]
[-- Type: Application/Octet-Stream, Size: 1799 bytes --]
From d641d793b013a0d68373c799fb5840caff56f9f1 Mon Sep 17 00:00:00 2001
From: Rob Gardner <rob.gardner@oracle.com>
Date: Sat, 31 Mar 2018 22:53:01 -0600
Subject: [PATCH] sparc64: Properly range check DAX completion index
[ Upstream commit 49d7006d9f01d435661d03bbea3db4c33935b3d8 ]
Each Oracle DAX CCB has a corresponding completion area, and the required
number of areas must fit within a previously allocated array of completion
areas beginning at the requested index. Since the completion area index
is specified by a file offset, a user can pass arbitrary values, including
negative numbers. So the index must be thoroughly range checked to prevent
access to addresses outside the bounds of the allocated completion
area array. The index cannot be negative, and it cannot exceed the
total array size, less the number of CCBs requested. The old code did
not check for negative values and was off by one on the upper bound.
Signed-off-by: Rob Gardner <rob.gardner@oracle.com>
Signed-off-by: Jonathan Helman <jonathan.helman@oracle.com>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/sbus/char/oradax.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/sbus/char/oradax.c b/drivers/sbus/char/oradax.c
index 03dc04739225..c44d7c7ffc92 100644
--- a/drivers/sbus/char/oradax.c
+++ b/drivers/sbus/char/oradax.c
@@ -880,7 +880,7 @@ static int dax_ccb_exec(struct dax_ctx *ctx, const char __user *buf,
dax_dbg("args: ccb_buf_len=%ld, idx=%d", count, idx);
/* for given index and length, verify ca_buf range exists */
- if (idx + nccbs >= DAX_CA_ELEMS) {
+ if (idx < 0 || idx > (DAX_CA_ELEMS - nccbs)) {
ctx->result.exec.status = DAX_SUBMIT_ERR_NO_CA_AVAIL;
return 0;
}
--
2.14.3
next prev parent reply other threads:[~2018-04-13 17:38 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-13 17:23 [PATCH] Sparc David Miller
2018-04-13 17:38 ` David Miller [this message]
2018-04-14 14:05 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2020-02-05 14:11 David Miller
2020-02-06 4:54 ` Sasha Levin
2020-02-06 6:49 ` Greg KH
2019-06-03 20:38 David Miller
2019-06-04 7:48 ` Greg KH
2018-05-22 17:51 David Miller
2018-05-22 18:13 ` Greg KH
2018-01-01 3:36 David Miller
2018-01-01 10:06 ` Greg KH
2017-11-20 11:53 David Miller
2017-11-20 20:08 ` Greg KH
2017-08-24 3:25 David Miller
2017-08-25 0:41 ` Greg KH
2017-05-11 2:42 David Miller
2017-05-11 8:36 ` Greg KH
2015-07-03 22:32 [PATCH] SPARC David Miller
2015-07-04 2:57 ` Greg KH
2015-07-09 13:40 ` Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180413.133841.1254326631851052115.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).