From 3f108de96ba449a8df3d7e3c053bf890fee2cb95 Mon Sep 17 00:00:00 2001 From: Chen Gang Date: Mon, 27 May 2013 04:57:09 +0000 Subject: parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller --- arch/parisc/kernel/drivers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch/parisc') diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c index 5709c5e59be..14285caec71 100644 --- a/arch/parisc/kernel/drivers.c +++ b/arch/parisc/kernel/drivers.c @@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath); static void setup_bus_id(struct parisc_device *padev) { struct hardware_path path; - char name[20]; + char name[28]; char *output = name; int i; -- cgit v1.2.3-18-g5258 From ae249b5fa27f9fba25aa59664d4338efc2dd2394 Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Tue, 28 May 2013 20:35:54 +0000 Subject: parisc: fix kernel BUG at arch/parisc/include/asm/mmzone.h:50 With CONFIG_DISCONTIGMEM=y and multiple physical memory areas, cat /proc/kpageflags triggers this kernel bug: kernel BUG at arch/parisc/include/asm/mmzone.h:50! CPU: 2 PID: 7848 Comm: cat Tainted: G D W 3.10.0-rc3-64bit #44 IAOQ[0]: kpageflags_read0x128/0x238 IAOQ[1]: kpageflags_read0x12c/0x238 RP(r2): proc_reg_read0xbc/0x130 Backtrace: [<00000000402ca2d4>] proc_reg_read0xbc/0x130 [<0000000040235bcc>] vfs_read0xc4/0x1d0 [<0000000040235f0c>] SyS_read0x94/0xf0 [<0000000040105fc0>] syscall_exit0x0/0x14 kpageflags_read() walks through the whole memory, even if some memory areas are physically not available. So, we should better not BUG on an unavailable pfn in pfn_to_nid() but just return the expected value -1 or 0. Signed-off-by: Helge Deller --- arch/parisc/include/asm/mmzone.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'arch/parisc') diff --git a/arch/parisc/include/asm/mmzone.h b/arch/parisc/include/asm/mmzone.h index 0e625ab9aae..cc50d33b7b8 100644 --- a/arch/parisc/include/asm/mmzone.h +++ b/arch/parisc/include/asm/mmzone.h @@ -39,17 +39,14 @@ extern unsigned char pfnnid_map[PFNNID_MAP_MAX]; static inline int pfn_to_nid(unsigned long pfn) { unsigned int i; - unsigned char r; if (unlikely(pfn_is_io(pfn))) return 0; i = pfn >> PFNNID_SHIFT; BUG_ON(i >= ARRAY_SIZE(pfnnid_map)); - r = pfnnid_map[i]; - BUG_ON(r == 0xff); - return (int)r; + return (int)pfnnid_map[i]; } static inline int pfn_valid(int pfn) -- cgit v1.2.3-18-g5258 From 766039022a480ede847659daaa78772bdcc598ae Mon Sep 17 00:00:00 2001 From: Paul Bolle Date: Wed, 29 May 2013 09:56:58 +0000 Subject: parisc: rename "CONFIG_PA7100" to "CONFIG_PA7000" There's a Makefile line setting cflags for CONFIG_PA7100. But that Kconfig macro doesn't exist. There is a Kconfig symbol PA7000, which covers both PA7000 and PA7100 processors. So let's use the corresponding Kconfig macro. Signed-off-by: Paul Bolle Signed-off-by: Helge Deller --- arch/parisc/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch/parisc') diff --git a/arch/parisc/Makefile b/arch/parisc/Makefile index 197690068f8..96ec3982be8 100644 --- a/arch/parisc/Makefile +++ b/arch/parisc/Makefile @@ -66,7 +66,7 @@ KBUILD_CFLAGS_KERNEL += -mlong-calls endif # select which processor to optimise for -cflags-$(CONFIG_PA7100) += -march=1.1 -mschedule=7100 +cflags-$(CONFIG_PA7000) += -march=1.1 -mschedule=7100 cflags-$(CONFIG_PA7200) += -march=1.1 -mschedule=7200 cflags-$(CONFIG_PA7100LC) += -march=1.1 -mschedule=7100LC cflags-$(CONFIG_PA7300LC) += -march=1.1 -mschedule=7300 -- cgit v1.2.3-18-g5258 From ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 Mon Sep 17 00:00:00 2001 From: Chen Gang Date: Thu, 30 May 2013 01:18:43 +0000 Subject: parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller --- arch/parisc/kernel/setup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'arch/parisc') diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c index 76b63e726a5..1e95b2000ce 100644 --- a/arch/parisc/kernel/setup.c +++ b/arch/parisc/kernel/setup.c @@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p) /* called from hpux boot loader */ boot_command_line[0] = '\0'; } else { - strcpy(boot_command_line, (char *)__va(boot_args[1])); + strlcpy(boot_command_line, (char *)__va(boot_args[1]), + COMMAND_LINE_SIZE); #ifdef CONFIG_BLK_DEV_INITRD if (boot_args[2] != 0) /* did palo pass us a ramdisk? */ -- cgit v1.2.3-18-g5258