* [PATCH] i5000_edac: fix slot number passed to determine_mtr()
@ 2022-07-26 19:04 Aristeu Rozanski
0 siblings, 0 replies; 2+ messages in thread
From: Aristeu Rozanski @ 2022-07-26 19:04 UTC (permalink / raw)
To: linux-edac; +Cc: Mauro Carvalho Chehab, Borislav Petkov
When the logic mapping branch/slot/channel was reworked back in
64e1fdaf55d6 ("i5000_edac: Fix the logic that retrieves memory information")
i5000_init_csrows() was not updated and kept passing twice the number
of slots to determine_mtr(), which leads to acessing past the end of
i5000_pvt.b1_mtr[]. This was found by KASAN.
Fixes: 64e1fdaf55d6 ("i5000_edac: Fix the logic that retrieves memory information")
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Signed-off-by: Aristeu Rozanski <aris@redhat.com>
---
drivers/edac/i5000_edac.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- linus-2.6.orig/drivers/edac/i5000_edac.c 2022-07-25 15:26:40.093989879 -0400
+++ linus-2.6/drivers/edac/i5000_edac.c 2022-07-26 14:32:23.644694778 -0400
@@ -1249,14 +1249,12 @@ static int i5000_init_csrows(struct mem_
struct i5000_pvt *pvt;
struct dimm_info *dimm;
int empty;
- int max_csrows;
int mtr;
int csrow_megs;
int channel;
int slot;
pvt = mci->pvt_info;
- max_csrows = pvt->maxdimmperch * 2;
empty = 1; /* Assume NO memory */
@@ -1267,7 +1265,7 @@ struct i5000_pvt *pvt;
* to map the dimms. A good cleanup would be to remove this array,
* and do a loop here with branch, channel, slot
*/
- for (slot = 0; slot < max_csrows; slot++) {
+ for (slot = 0; slot < pvt->maxdimmperch; slot++) {
for (channel = 0; channel < pvt->maxch; channel++) {
mtr = determine_mtr(pvt, slot, channel);
--
Aristeu
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] i5000_edac: fix slot number passed to determine_mtr()
@ 2022-08-02 14:28 Aristeu Rozanski
0 siblings, 0 replies; 2+ messages in thread
From: Aristeu Rozanski @ 2022-08-02 14:28 UTC (permalink / raw)
To: linux-edac; +Cc: mchehab, bp
When the logic mapping branch/slot/channel was reworked back in
64e1fdaf55d6 ("i5000_edac: Fix the logic that retrieves memory information")
i5000_init_csrows() was not updated and kept passing twice the number
of slots to determine_mtr(), which leads to acessing past the end of
i5000_pvt.b1_mtr[]. This was found by KASAN.
Fixes: 64e1fdaf55d6 ("i5000_edac: Fix the logic that retrieves memory information")
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Signed-off-by: Aristeu Rozanski <aris@redhat.com>
---
drivers/edac/i5000_edac.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- linus-2.6.orig/drivers/edac/i5000_edac.c 2022-07-25 15:26:40.093989879 -0400
+++ linus-2.6/drivers/edac/i5000_edac.c 2022-07-26 14:32:23.644694778 -0400
@@ -1249,14 +1249,12 @@ static int i5000_init_csrows(struct mem_
struct i5000_pvt *pvt;
struct dimm_info *dimm;
int empty;
- int max_csrows;
int mtr;
int csrow_megs;
int channel;
int slot;
pvt = mci->pvt_info;
- max_csrows = pvt->maxdimmperch * 2;
empty = 1; /* Assume NO memory */
@@ -1267,7 +1265,7 @@ struct i5000_pvt *pvt;
* to map the dimms. A good cleanup would be to remove this array,
* and do a loop here with branch, channel, slot
*/
- for (slot = 0; slot < max_csrows; slot++) {
+ for (slot = 0; slot < pvt->maxdimmperch; slot++) {
for (channel = 0; channel < pvt->maxch; channel++) {
mtr = determine_mtr(pvt, slot, channel);
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-02 14:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-26 19:04 [PATCH] i5000_edac: fix slot number passed to determine_mtr() Aristeu Rozanski
2022-08-02 14:28 Aristeu Rozanski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).