From 83292e0a9c3f1c326b28fbf8cb70a8ce81a98163 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 12 Jul 2007 14:16:22 -0700 Subject: [SPARC64]: Fix MD property lifetime bugs. Property values cannot be referenced outside of mdesc_grab()/mdesc_release() pairs. The only major offender was the VIO bus layer, easily fixed. Add some commentary to mdesc.h describing these rules. Signed-off-by: David S. Miller diff --git a/arch/sparc64/kernel/vio.c b/arch/sparc64/kernel/vio.c index 64f0825..8b269aa 100644 --- a/arch/sparc64/kernel/vio.c +++ b/arch/sparc64/kernel/vio.c @@ -44,12 +44,11 @@ static const struct vio_device_id *vio_match_device( while (matches->type[0] || matches->compat[0]) { int match = 1; - if (matches->type[0]) { - match &= type - && !strcmp(matches->type, type); - } + if (matches->type[0]) + match &= !strcmp(matches->type, type); + if (matches->compat[0]) { - match &= compat && + match &= len && find_in_proplist(compat, matches->compat, len); } if (match) @@ -205,15 +204,30 @@ static struct vio_dev *vio_create_one(struct mdesc_handle *hp, u64 mp, const char *type, *compat; struct device_node *dp; struct vio_dev *vdev; - int err, clen; + int err, tlen, clen; - type = mdesc_get_property(hp, mp, "device-type", NULL); + type = mdesc_get_property(hp, mp, "device-type", &tlen); if (!type) { - type = mdesc_get_property(hp, mp, "name", NULL); - if (!type) + type = mdesc_get_property(hp, mp, "name", &tlen); + if (!type) { type = mdesc_node_name(hp, mp); + tlen = strlen(type) + 1; + } + } + if (tlen > VIO_MAX_TYPE_LEN) { + printk(KERN_ERR "VIO: Type string [%s] is too long.\n", + type); + return NULL; } + compat = mdesc_get_property(hp, mp, "device-type", &clen); + if (!compat) { + clen = 0; + } else if (clen > VIO_MAX_COMPAT_LEN) { + printk(KERN_ERR "VIO: Compat len %d for [%s] is too long.\n", + clen, type); + return NULL; + } vdev = kzalloc(sizeof(*vdev), GFP_KERNEL); if (!vdev) { @@ -222,8 +236,11 @@ static struct vio_dev *vio_create_one(struct mdesc_handle *hp, u64 mp, } vdev->mp = mp; - vdev->type = type; - vdev->compat = compat; + memcpy(vdev->type, type, tlen); + if (compat) + memcpy(vdev->compat, compat, clen); + else + memset(vdev->compat, 0, sizeof(vdev->compat)); vdev->compat_len = clen; vdev->channel_id = ~0UL; diff --git a/include/asm-sparc64/mdesc.h b/include/asm-sparc64/mdesc.h index bbb0c0b..dc372df 100644 --- a/include/asm-sparc64/mdesc.h +++ b/include/asm-sparc64/mdesc.h @@ -23,8 +23,28 @@ extern u64 mdesc_node_by_name(struct mdesc_handle *handle, (__node) != MDESC_NODE_NULL; \ __node = mdesc_node_by_name(__hdl, __node, __name)) +/* Access to property values returned from mdesc_get_property() are + * only valid inside of a mdesc_grab()/mdesc_release() sequence. + * Once mdesc_release() is called, the memory backed up by these + * pointers may reference freed up memory. + * + * Therefore callers must make copies of any property values + * they need. + * + * These same rules apply to mdesc_node_name(). + */ extern const void *mdesc_get_property(struct mdesc_handle *handle, u64 node, const char *name, int *lenp); +extern const char *mdesc_node_name(struct mdesc_handle *hp, u64 node); + +/* MD arc iteration, the standard sequence is: + * + * unsigned long arc; + * mdesc_for_each_arc(arc, handle, node, MDESC_ARC_TYPE_{FWD,BACK}) { + * unsigned long target = mdesc_arc_target(handle, arc); + * ... + * } + */ #define MDESC_ARC_TYPE_FWD "fwd" #define MDESC_ARC_TYPE_BACK "back" @@ -38,8 +58,6 @@ extern u64 mdesc_next_arc(struct mdesc_handle *handle, u64 from, extern u64 mdesc_arc_target(struct mdesc_handle *hp, u64 arc); -extern const char *mdesc_node_name(struct mdesc_handle *hp, u64 node); - extern void mdesc_update(void); extern void sun4v_mdesc_init(void); diff --git a/include/asm-sparc64/vio.h b/include/asm-sparc64/vio.h index a8a53e6..83c9642 100644 --- a/include/asm-sparc64/vio.h +++ b/include/asm-sparc64/vio.h @@ -264,12 +264,15 @@ static inline u32 vio_dring_avail(struct vio_dring_state *dr, ((dr->prod - dr->cons) & (ring_size - 1))); } +#define VIO_MAX_TYPE_LEN 64 +#define VIO_MAX_COMPAT_LEN 64 + struct vio_dev { u64 mp; struct device_node *dp; - const char *type; - const char *compat; + char type[VIO_MAX_TYPE_LEN]; + char compat[VIO_MAX_COMPAT_LEN]; int compat_len; unsigned long channel_id; -- cgit v0.10.2