x86: pci: Prevent mmconfig memory corruption
in [Kernel]
|
Prev: tracing: return accurate value for print_graph_prologue
Next: Fix file descriptor leak on user-space processes and cleanup
From: Bjorn Helgaas on 25 Feb 2010 10:50 On Thursday 25 February 2010 08:42:11 am Thomas Gleixner wrote: > commit ff097ddd4 (x86/PCI: MMCONFIG: manage pci_mmcfg_region as a > list, not a table) introduced a nasty memory corruption when > pci_mmcfg_list is empty. Ouch, I'm really sorry about that. Thanks for fixing it. Bjorn -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Jesse Barnes on 25 Feb 2010 11:40
On Thu, 25 Feb 2010 16:42:11 +0100 (CET) Thomas Gleixner <tglx(a)linutronix.de> wrote: > commit ff097ddd4 (x86/PCI: MMCONFIG: manage pci_mmcfg_region as a > list, not a table) introduced a nasty memory corruption when > pci_mmcfg_list is empty. > > pci_mmcfg_check_end_bus_number() dereferences pci_mmcfg_list.prev even > when the list is empty. The following write hits some variable near to > pci_mmcfg_list. > > Further down a similar problem exists, where cfg->list.next is > dereferenced unconditionally and a comparison with some variable near > to pci_mmcfg_list happens. > > Add a check for the last element into the for_each_entry() loop and > remove all the other crappy logic which is just a leftover of the old > array based code which was replaced by the list conversion. > > Reported-by: Ingo Molnar <mingo(a)elte.hu> > Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> > Cc: Bjorn Helgaas <bjorn.helgaas(a)hp.com> > Cc: Yinghai Lu <yinghai(a)kernel.org> > Cc: Jesse Barnes <jbarnes(a)virtuousgeek.org> > Cc: stable(a)kernel.org > --- Applied to my linux-next branch, thanks. I'll be part of my pull request to Linus tomorrow. -- Jesse Barnes, Intel Open Source Technology Center -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |