MIPS: MSC: Prevent out-of-bounds writes to MIPS SC ioremap'd region

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Previously, the lower limit for the MIPS SC initialization loop was
set incorrectly allowing one extra loop leading to writes
beyond the MSC ioremap'd space. More precisely, the value of the 'imp'
in the last loop increased beyond the msc_irqmap_t boundaries and
as a result of which, the 'n' variable was loaded with an incorrect
value. This value was used later on to calculate the offset in the
MSC01_IC_SUP which led to random crashes like the following one:

CPU 0 Unable to handle kernel paging request at virtual address e75c0200,
epc == 8058dba4, ra == 8058db90
[...]
Call Trace:
[<8058dba4>] init_msc_irqs+0x104/0x154
[<8058b5bc>] arch_init_irq+0xd8/0x154
[<805897b0>] start_kernel+0x220/0x36c

Kernel panic - not syncing: Attempted to kill the idle task!

This patch fixes the problem

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: stable@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7118/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

authored by

Markos Chandras and committed by

Ralf Baechle 11 years ago ab6c15bc d8214ef1

+1 -1

1 changed file

expand all

arch

mips

kernel

irq-msc01.c

+1 -1

arch/mips/kernel/irq-msc01.c

··· 126 126 127 127 board_bind_eic_interrupt = &msc_bind_eic_interrupt; 128 128 129 - for (; nirq >= 0; nirq--, imp++) { 129 + for (; nirq > 0; nirq--, imp++) { 130 130 int n = imp->im_irq; 131 131 132 132 switch (imp->im_type) {