diff options
author | Bjorn Helgaas <bjorn.helgaas@hp.com> | 2008-08-01 17:58:17 -0400 |
---|---|---|
committer | Andi Kleen <ak@linux.intel.com> | 2008-08-14 21:17:07 -0400 |
commit | fa46d3526461e8aa7c0fb39cc1b98ac656695a43 (patch) | |
tree | 0094d2a1ff5782cdf6f65dcdf8c7c54e0e1bded9 | |
parent | b635acec48bcaa9183fcbf4e3955616b0d4119b5 (diff) |
ACPI: bounds check IRQ to prevent memory corruption
acpi_penalize_isa_irq() should validate irq before using it to
index the acpi_irq_penalty[] table.
Here's the path I'm concerned about:
pnpacpi_parse_allocated_irqresource()
{
...
irq = acpi_register_gsi(gsi, triggering, polarity);
if (irq >= 0)
pcibios_penalize_isa_irq(irq, 1);
There's no guarantee that acpi_register_gsi() will return an IRQ
within the bounds of acpi_irq_penalty[].
I have not seen a failure I can attribute to this. However,
ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have
IRQs larger than that.
I think this should go in 2.6.27.
Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
-rw-r--r-- | drivers/acpi/pci_link.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/acpi/pci_link.c b/drivers/acpi/pci_link.c index 89f3b2abfdc7..cf47805a7448 100644 --- a/drivers/acpi/pci_link.c +++ b/drivers/acpi/pci_link.c | |||
@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used) | |||
849 | if (irq < 0) | 849 | if (irq < 0) |
850 | continue; | 850 | continue; |
851 | 851 | ||
852 | if (irq >= ACPI_MAX_IRQS) | 852 | if (irq >= ARRAY_SIZE(acpi_irq_penalty)) |
853 | continue; | 853 | continue; |
854 | 854 | ||
855 | if (used) | 855 | if (used) |
@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used) | |||
872 | */ | 872 | */ |
873 | void acpi_penalize_isa_irq(int irq, int active) | 873 | void acpi_penalize_isa_irq(int irq, int active) |
874 | { | 874 | { |
875 | if (active) | 875 | if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) { |
876 | acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED; | 876 | if (active) |
877 | else | 877 | acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED; |
878 | acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING; | 878 | else |
879 | acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING; | ||
880 | } | ||
879 | } | 881 | } |
880 | 882 | ||
881 | /* | 883 | /* |