linux-mips
[Top] [All Lists]

[PATCH] MIPS: msc: Prevent out-of-bounds writes to MIPS SC ioremap'd reg

To: <linux-mips@linux-mips.org>
Subject: [PATCH] MIPS: msc: Prevent out-of-bounds writes to MIPS SC ioremap'd region
From: Markos Chandras <markos.chandras@imgtec.com>
Date: Mon, 23 Jun 2014 09:48:51 +0100
Cc: Markos Chandras <markos.chandras@imgtec.com>, <stable@vger.kernel.org>
List-archive: <http://www.linux-mips.org/archives/linux-mips/>
List-help: <mailto:ecartis@linux-mips.org?Subject=help>
List-id: linux-mips <linux-mips.eddie.linux-mips.org>
List-owner: <mailto:ralf@linux-mips.org>
List-post: <mailto:linux-mips@linux-mips.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:ecartis@linux-mips.org?subject=subscribe%20linux-mips>
List-unsubscribe: <mailto:ecartis@linux-mips.org?subject=unsubscribe%20linux-mips>
Original-recipient: rfc822;linux-mips@linux-mips.org
Sender: linux-mips-bounce@linux-mips.org
Previously, the lower limit for the MIPS SC initialization loop was
set incorrectly allowing one extra loop leading to writes
beyond the MSC ioremap'd space. More precisely, the value of the 'imp'
in the last loop increased beyond the msc_irqmap_t boundaries and
as a result of which, the 'n' variable was loaded with an incorrect
value. This value was used later on to calculate the offset in the
MSC01_IC_SUP which led to random crashes like the following one:

CPU 0 Unable to handle kernel paging request at virtual address e75c0200,
epc == 8058dba4, ra == 8058db90
[...]
Call Trace:
[<8058dba4>] init_msc_irqs+0x104/0x154
[<8058b5bc>] arch_init_irq+0xd8/0x154
[<805897b0>] start_kernel+0x220/0x36c

Kernel panic - not syncing: Attempted to kill the idle task!

This patch fixes the problem

Cc: stable@vger.kernel.org
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
---
 arch/mips/kernel/irq-msc01.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/kernel/irq-msc01.c b/arch/mips/kernel/irq-msc01.c
index 4858642d543d..a734b2c2f9ea 100644
--- a/arch/mips/kernel/irq-msc01.c
+++ b/arch/mips/kernel/irq-msc01.c
@@ -126,7 +126,7 @@ void __init init_msc_irqs(unsigned long icubase, unsigned 
int irqbase, msc_irqma
 
        board_bind_eic_interrupt = &msc_bind_eic_interrupt;
 
-       for (; nirq >= 0; nirq--, imp++) {
+       for (; nirq > 0; nirq--, imp++) {
                int n = imp->im_irq;
 
                switch (imp->im_type) {
-- 
2.0.0


<Prev in Thread] Current Thread [Next in Thread>
  • [PATCH] MIPS: msc: Prevent out-of-bounds writes to MIPS SC ioremap'd region, Markos Chandras <=