diff options
author | Wu Fengguang <fengguang.wu@intel.com> | 2012-09-01 17:25:46 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-09-04 15:11:56 -0400 |
commit | b320e97240de0f98b81f866d59f47af41780eab0 (patch) | |
tree | a4282f67a74d3c30742f5e1386f30c48a6355c5f /drivers/net/ethernet/i825xx | |
parent | 3b59df46a449ec9975146d71318c4777ad086744 (diff) |
i825xx: fix paging fault on znet_probe()
In znet_probe(), strncmp() may access beyond 0x100000 and
trigger the below oops in kvm. Fix it by limiting the loop
under 0x100000-8. I suspect the limit could be further decreased
to 0x100000-sizeof(struct netidblk), however no datasheet at hand..
[ 3.744312] BUG: unable to handle kernel paging request at 80100000
[ 3.746145] IP: [<8119d12a>] strncmp+0xc/0x20
[ 3.747446] *pde = 01d10067 *pte = 00100160
[ 3.747493] Oops: 0000 [#1] DEBUG_PAGEALLOC
[ 3.747493] Pid: 1, comm: swapper Not tainted 3.6.0-rc1-00018-g57bfc0a #73 Bochs Bochs
[ 3.747493] EIP: 0060:[<8119d12a>] EFLAGS: 00010206 CPU: 0
[ 3.747493] EIP is at strncmp+0xc/0x20
[ 3.747493] EAX: 800fff4e EBX: 00000006 ECX: 00000006 EDX: 814d2bb9
[ 3.747493] ESI: 80100000 EDI: 814d2bba EBP: 8e03dfa0 ESP: 8e03df98
[ 3.747493] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 3.747493] CR0: 8005003b CR2: 80100000 CR3: 016f7000 CR4: 00000690
[ 3.747493] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 3.747493] DR6: ffff0ff0 DR7: 00000400
[ 3.747493] Process swapper (pid: 1, ti=8e03c000 task=8e040000 task.ti=8e03c000)
[ 3.747493] Stack:
[ 3.747493] 800fffff 00000000 8e03dfb4 816a1376 00000006 816a134a 00000000 8e03dfd0
[ 3.747493] 816819b5 816ed1c0 8e03dfe4 00000006 00000123 816ed604 8e03dfe4 81681b29
[ 3.747493] 00000000 81681a5b 00000000 00000000 8134e542 00000000 00000000 00000000
[ 3.747493] Call Trace:
[ 3.747493] [<816a1376>] znet_probe+0x2c/0x26b
[ 3.747493] [<816a134a>] ? dnet_driver_init+0xf/0xf
[ 3.747493] [<816819b5>] do_one_initcall+0x6a/0x110
[ 3.747493] [<81681b29>] kernel_init+0xce/0x14b
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/ethernet/i825xx')
-rw-r--r-- | drivers/net/ethernet/i825xx/znet.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/drivers/net/ethernet/i825xx/znet.c b/drivers/net/ethernet/i825xx/znet.c index bd1f1ef91e19..ba4e0cea3506 100644 --- a/drivers/net/ethernet/i825xx/znet.c +++ b/drivers/net/ethernet/i825xx/znet.c | |||
@@ -139,8 +139,11 @@ struct znet_private { | |||
139 | /* Only one can be built-in;-> */ | 139 | /* Only one can be built-in;-> */ |
140 | static struct net_device *znet_dev; | 140 | static struct net_device *znet_dev; |
141 | 141 | ||
142 | #define NETIDBLK_MAGIC "NETIDBLK" | ||
143 | #define NETIDBLK_MAGIC_SIZE 8 | ||
144 | |||
142 | struct netidblk { | 145 | struct netidblk { |
143 | char magic[8]; /* The magic number (string) "NETIDBLK" */ | 146 | char magic[NETIDBLK_MAGIC_SIZE]; /* The magic number (string) "NETIDBLK" */ |
144 | unsigned char netid[8]; /* The physical station address */ | 147 | unsigned char netid[8]; /* The physical station address */ |
145 | char nettype, globalopt; | 148 | char nettype, globalopt; |
146 | char vendor[8]; /* The machine vendor and product name. */ | 149 | char vendor[8]; /* The machine vendor and product name. */ |
@@ -373,14 +376,16 @@ static int __init znet_probe (void) | |||
373 | struct znet_private *znet; | 376 | struct znet_private *znet; |
374 | struct net_device *dev; | 377 | struct net_device *dev; |
375 | char *p; | 378 | char *p; |
379 | char *plast = phys_to_virt(0x100000 - NETIDBLK_MAGIC_SIZE); | ||
376 | int err = -ENOMEM; | 380 | int err = -ENOMEM; |
377 | 381 | ||
378 | /* This code scans the region 0xf0000 to 0xfffff for a "NETIDBLK". */ | 382 | /* This code scans the region 0xf0000 to 0xfffff for a "NETIDBLK". */ |
379 | for(p = (char *)phys_to_virt(0xf0000); p < (char *)phys_to_virt(0x100000); p++) | 383 | for(p = (char *)phys_to_virt(0xf0000); p <= plast; p++) |
380 | if (*p == 'N' && strncmp(p, "NETIDBLK", 8) == 0) | 384 | if (*p == 'N' && |
385 | strncmp(p, NETIDBLK_MAGIC, NETIDBLK_MAGIC_SIZE) == 0) | ||
381 | break; | 386 | break; |
382 | 387 | ||
383 | if (p >= (char *)phys_to_virt(0x100000)) { | 388 | if (p > plast) { |
384 | if (znet_debug > 1) | 389 | if (znet_debug > 1) |
385 | printk(KERN_INFO "No Z-Note ethernet adaptor found.\n"); | 390 | printk(KERN_INFO "No Z-Note ethernet adaptor found.\n"); |
386 | return -ENODEV; | 391 | return -ENODEV; |