diff options
| author | Tim Sell <[email protected]> | 2015-07-13 14:51:24 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <[email protected]> | 2015-07-14 18:36:48 -0700 |
| commit | d253058f490febdfdbe0a0f09a25166c71afd2b3 (patch) | |
| tree | 1b425e94001ae1255819964a5ab9e4391f87e130 /include/linux/cdev.h | |
| parent | fd012d0def470d6c2e1a441421d00404240e7fec (diff) | |
staging: unisys: fix random memory corruption in visorchannel_write()
visorchannel_write() and it's user visorbus_write_channel() are
exported, so all visorbus function drivers (i.e., drivers that call
visorbus_register_visor_driver()) are potentially affected by the bug.
Because of pointer-arithmetic rules, the address being written to in the
affected code was actually at byte offset:
sizeof(struct channel_header) * offset
instead of just <offset> bytes as intended.
The bug could cause some very difficult-to-diagnose symptoms. The
particular problem that led me on this chase was a kernel fault that
would occur during 'insmod visornic' after a previous 'rmmod visornic',
where we would fault during netdev_register_kobject() within
pm_runtime_set_memalloc_noio() while traversing a device list, which
occurred because dev->parent for the visorbus device had become
corrupted.
Fixes: 0abb60c1c ('staging: unisys: visorchannel_write(): Handle...')
Signed-off-by: Tim Sell <[email protected]>
Acked-by: Don Zickus <[email protected]>
Signed-off-by: Benjamin Romer <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Diffstat (limited to 'include/linux/cdev.h')
0 files changed, 0 insertions, 0 deletions