Re: [PATCH] Fix bug: accessing past end of array.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[adding linux-scsi]

On Sun, 25 Jun 2006 19:06:46 -0700 (PDT) Alex Davis wrote:

> If the card is re-inserted 2 or more times, we access elements
> past the end of the aha152x_host array.

When I was testing/reproducing this, I observed that removing
the card did not cause the aha152x_detach() function to be called
(in drivers/scsi/pcmcia/aha152x_stub.c).  However, I didn't
find out why that doesn't happen.  I think fixing this would
be a big help.


> Also correct spelling errors.
> 
> This is for 2.6.17.
> 
> Signed-off-by Alex Davis <alex14641 at yahoo dot com>
> =========================================================================
> diff -u linux-2.6.17.1-orig/drivers/scsi/aha152x.c linux-2.6.17.1/drivers/scsi/aha152x.c
> --- linux-2.6.17.1-orig/drivers/scsi/aha152x.c	2006-06-17 21:49:35.000000000 -0400
> +++ linux-2.6.17.1/drivers/scsi/aha152x.c	2006-06-25 20:06:05.000000000 -0400
> @@ -766,7 +766,7 @@
>  	struct Scsi_Host *shpnt = lookup_irq(irqno);
>  
>  	if (!shpnt) {
> -        	printk(KERN_ERR "aha152x: catched software interrupt %d for unknown controller.\n",
> irqno);
> +        	printk(KERN_ERR "aha152x: caught software interrupt %d for unknown controller.\n",
> irqno);
>  		return IRQ_NONE;
>  	}
>  
> @@ -779,6 +779,7 @@
>  struct Scsi_Host *aha152x_probe_one(struct aha152x_setup *setup)
>  {
>  	struct Scsi_Host *shpnt;
> +	int i;
>  
>  	shpnt = scsi_host_alloc(&aha152x_driver_template, sizeof(struct aha152x_hostdata));
>  	if (!shpnt) {
> @@ -787,6 +788,22 @@
>  	}
>  
>  	/* need to have host registered before triggering any interrupt */
> +
> +	/* find an empty slot. */
> +	for ( i = 0; i < ARRAY_SIZE(aha152x_host); ++i ) {
> +		if ( aha152x_host[i] == NULL ) {
> +			break;
> +		}
> +	}
> +
> +	/* no empty slots? */
> +	if ( i >= ARRAY_SIZE(aha152x_host) ) {
> +		printk(KERN_ERR "aha152x: too many hosts: %d\n", i + 1);
> +		return NULL;
> +	}
> +
> +	registered_count = i;
> +
>  	aha152x_host[registered_count] = shpnt;
>  
>  	memset(HOSTDATA(shpnt), 0, sizeof *HOSTDATA(shpnt));
> @@ -915,6 +932,8 @@
>  
>  void aha152x_release(struct Scsi_Host *shpnt)
>  {
> +	int i;
> +
>  	if(!shpnt)
>  		return;
>  
> @@ -933,6 +952,12 @@
>  
>  	scsi_remove_host(shpnt);
>  	scsi_host_put(shpnt);
> +	for ( i = 0; i < ARRAY_SIZE(aha152x_host); ++i ) {
> +		if ( aha152x_host[i] == shpnt ) {
> +			aha152x_host[i] = NULL;
> +			break;
> +		}
> +	}
>  }
>  
>  
> @@ -1458,7 +1483,7 @@
>  	unsigned char rev, dmacntrl0;
>  
>  	if (!shpnt) {
> -		printk(KERN_ERR "aha152x: catched interrupt %d for unknown controller.\n", irqno);
> +		printk(KERN_ERR "aha152x: caught interrupt %d for unknown controller.\n", irqno);
>  		return IRQ_NONE;
>  	}
>  
> @@ -2976,6 +3001,9 @@
>  	Scsi_Cmnd *ptr;
>  	unsigned long flags;
>  
> +	if(!shpnt)
> +		return;
> +
>  	DO_LOCK(flags);
>  	printk(KERN_DEBUG "\nqueue status:\nissue_SC:\n");
>  	for (ptr = ISSUE_SC; ptr; ptr = SCNEXT(ptr))
> @@ -3941,7 +3969,6 @@
>  
>  	for(i=0; i<ARRAY_SIZE(setup); i++) {
>  		aha152x_release(aha152x_host[i]);
> -		aha152x_host[i]=NULL;
>  	}
>  }
> 

---
~Randy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux