Re: [PATCH] Fix bug: accessing past end of array.

From: Randy.Dunlap
Date: Sun Jun 25 2006 - 22:24:21 EST

Next message: Mike Galbraith: "Re: Measuring tools - top and interrupts"
Previous message: Mike Galbraith: "Re: [PATCH] i386: Fix softirq accounting with 4K stacks"
In reply to: Alex Davis: "[PATCH] Fix bug: accessing past end of array."
Next in thread: Alex Davis: "Re: [PATCH] Fix bug: accessing past end of array."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[adding linux-scsi]

On Sun, 25 Jun 2006 19:06:46 -0700 (PDT) Alex Davis wrote:

> If the card is re-inserted 2 or more times, we access elements
> past the end of the aha152x_host array.

When I was testing/reproducing this, I observed that removing
the card did not cause the aha152x_detach() function to be called
(in drivers/scsi/pcmcia/aha152x_stub.c). However, I didn't
find out why that doesn't happen. I think fixing this would
be a big help.

> Also correct spelling errors.
>
> This is for 2.6.17.
>
> Signed-off-by Alex Davis <alex14641 at yahoo dot com>
> =========================================================================
> diff -u linux-2.6.17.1-orig/drivers/scsi/aha152x.c linux-2.6.17.1/drivers/scsi/aha152x.c
> --- linux-2.6.17.1-orig/drivers/scsi/aha152x.c 2006-06-17 21:49:35.000000000 -0400
> +++ linux-2.6.17.1/drivers/scsi/aha152x.c 2006-06-25 20:06:05.000000000 -0400
> @@ -766,7 +766,7 @@
> struct Scsi_Host *shpnt = lookup_irq(irqno);
>
> if (!shpnt) {
> - printk(KERN_ERR "aha152x: catched software interrupt %d for unknown controller.\n",
> irqno);
> + printk(KERN_ERR "aha152x: caught software interrupt %d for unknown controller.\n",
> irqno);
> return IRQ_NONE;
> }
>
> @@ -779,6 +779,7 @@
> struct Scsi_Host *aha152x_probe_one(struct aha152x_setup *setup)
> {
> struct Scsi_Host *shpnt;
> + int i;
>
> shpnt = scsi_host_alloc(&aha152x_driver_template, sizeof(struct aha152x_hostdata));
> if (!shpnt) {
> @@ -787,6 +788,22 @@
> }
>
> /* need to have host registered before triggering any interrupt */
> +
> + /* find an empty slot. */
> + for ( i = 0; i < ARRAY_SIZE(aha152x_host); ++i ) {
> + if ( aha152x_host[i] == NULL ) {
> + break;
> + }
> + }
> +
> + /* no empty slots? */
> + if ( i >= ARRAY_SIZE(aha152x_host) ) {
> + printk(KERN_ERR "aha152x: too many hosts: %d\n", i + 1);
> + return NULL;
> + }
> +
> + registered_count = i;
> +
> aha152x_host[registered_count] = shpnt;
>
> memset(HOSTDATA(shpnt), 0, sizeof *HOSTDATA(shpnt));
> @@ -915,6 +932,8 @@
>
> void aha152x_release(struct Scsi_Host *shpnt)
> {
> + int i;
> +
> if(!shpnt)
> return;
>
> @@ -933,6 +952,12 @@
>
> scsi_remove_host(shpnt);
> scsi_host_put(shpnt);
> + for ( i = 0; i < ARRAY_SIZE(aha152x_host); ++i ) {
> + if ( aha152x_host[i] == shpnt ) {
> + aha152x_host[i] = NULL;
> + break;
> + }
> + }
> }
>
>
> @@ -1458,7 +1483,7 @@
> unsigned char rev, dmacntrl0;
>
> if (!shpnt) {
> - printk(KERN_ERR "aha152x: catched interrupt %d for unknown controller.\n", irqno);
> + printk(KERN_ERR "aha152x: caught interrupt %d for unknown controller.\n", irqno);
> return IRQ_NONE;
> }
>
> @@ -2976,6 +3001,9 @@
> Scsi_Cmnd *ptr;
> unsigned long flags;
>
> + if(!shpnt)
> + return;
> +
> DO_LOCK(flags);
> printk(KERN_DEBUG "\nqueue status:\nissue_SC:\n");
> for (ptr = ISSUE_SC; ptr; ptr = SCNEXT(ptr))
> @@ -3941,7 +3969,6 @@
>
> for(i=0; i<ARRAY_SIZE(setup); i++) {
> aha152x_release(aha152x_host[i]);
> - aha152x_host[i]=NULL;
> }
> }
>

---
~Randy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Galbraith: "Re: Measuring tools - top and interrupts"
Previous message: Mike Galbraith: "Re: [PATCH] i386: Fix softirq accounting with 4K stacks"
In reply to: Alex Davis: "[PATCH] Fix bug: accessing past end of array."
Next in thread: Alex Davis: "Re: [PATCH] Fix bug: accessing past end of array."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]