On Tue, 23 Jul 2013 15:29:31 +0100 Gustavo Padovan <gust...@padovan.org> wrote:
> From: Gustavo Padovan <gustavo.pado...@collabora.co.uk>
>
> If the type we receive is greater than ST_MAX_CHANNELS we can't rely on
> type as vector index since we would be accessing unknown memory when we use
> the type
> as index.
>
> Unable to handle kernel NULL pointer dereference at virtual address 0000001b
> pgd = c0004000
> [0000001b] *pgd=00000000
> Internal error: Oops: 17 [#1] PREEMPT SMP ARM
> Modules linked in: btwilink wl12xx wlcore mac80211 cfg80211 rfcomm bnep bluo
> CPU: 0 Tainted: G W (3.4.0+ #15)
> PC is at st_int_recv+0x278/0x344
> LR is at get_parent_ip+0x14/0x30
> pc : [<c03b01a8>] lr : [<c007273c>] psr: 200f0193
> sp : dc631ed0 ip : e3e21c24 fp : dc631f04
> r10: 00000000 r9 : 600f0113 r8 : 0000003f
> r7 : e3e21b14 r6 : 00000067 r5 : e2e49c1c r4 : e3e21a80
> r3 : 00000001 r2 : 00000001 r1 : 00000001 r0 : 600f0113
> Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
> Control: 10c5387d Table: 9c50004a DAC: 00000015
>
> Signed-off-by: Gustavo Padovan <gustavo.pado...@collabora.co.uk>
> ---
> drivers/misc/ti-st/st_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c
> index 0a14280..8e64eb1 100644
> --- a/drivers/misc/ti-st/st_core.c
> +++ b/drivers/misc/ti-st/st_core.c
> @@ -343,7 +343,7 @@ void st_int_recv(void *disc_data,
> /* Unknow packet? */
> default:
> type = *ptr;
> - if (st_gdata->list[type] == NULL) {
> + if (type >= ST_MAX_CHANNELS || st_gdata->list[type] ==
> NULL) {
> pr_err("chip/interface misbehavior dropping"
> " frame starting with 0x%02x", type);
> goto done;
This would be a bug in the calling code, would it not?
How did this come about?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
