[PATCH 2.6] to fix i2o_proc kernel panic on access of /proc/i2o/iop0/lct

From: Markus Lidel
Date: Sat May 08 2004 - 06:37:13 EST


Hello,

the patch fixes a bug in the i2o_proc.c module, where the kernel panics, if you access /proc/i2o/iop0/lct and read more then 1024 bytes of it.

The problem was, that no paging was implemented by the function. This is now solved.

If you have any questions, pleese feel free to contact me.

Best regards,


Markus Lidel
------------------------------------------
Markus Lidel (Senior IT Consultant)

Shadow Connect GmbH
Carl-Reisch-Weg 12
D-86381 Krumbach
Germany

Phone: +49 82 82/99 51-0
Fax: +49 82 82/99 51-11

E-Mail: Markus.Lidel@xxxxxxxxxxxxxxxxx
URL: http://www.shadowconnect.com
--- a/drivers/message/i2o/i2o_proc.c 2004-04-04 05:37:25.000000000 +0200
+++ b/drivers/message/i2o/i2o_proc.c 2004-05-07 03:33:45.136253576 +0200
@@ -406,13 +406,15 @@
return len;
}

-int i2o_proc_read_lct(char *buf, char **start, off_t offset, int len,
+int i2o_proc_read_lct(char *page, char **start, off_t off, int count,
int *eof, void *data)
{
struct i2o_controller *c = (struct i2o_controller*)data;
i2o_lct *lct = (i2o_lct *)c->lct;
int entries;
int i;
+ int len;
+ char *buf;

#define BUS_TABLE_SIZE 3
static char *bus_ports[] =
@@ -422,11 +424,13 @@
"Fibre Channel Bus"
};

- spin_lock(&i2o_proc_lock);
- len = 0;
-
entries = (lct->table_size - 3)/9;

+ buf = kmalloc(entries * 300 + 100, GFP_KERNEL);
+ if(!buf)
+ return -ENOMEM;
+ len = 0;
+
len += sprintf(buf, "LCT contains %d %s\n", entries,
entries == 1 ? "entry" : "entries");
if(lct->boot_tid)
@@ -538,7 +542,20 @@
lct->lct_entry[i].device_flags);
}

- spin_unlock(&i2o_proc_lock);
+ *start = page;
+
+ if(off > len) {
+ *eof = 1;
+ len = 0;
+ } else {
+ len -= off;
+ if(len <= count)
+ *eof = 1;
+ else
+ len = count;
+ }
+ strncpy(page, buf + off, len);
+ kfree(buf);
return len;
}