1
linux/drivers/block
Patrick McHardy 61808c2bbb [PATCH] cciss: fix use-after-free in cciss_init_one
free_hba() sets hba[i] to NULL, the dereference afterwards results in this
crash.  Setting busy_initializing to 0 actually looks unnecessary, but I'm
not entirely sure, which is why I left it in.

cciss: controller appears to be disabled
Unable to handle kernel NULL pointer dereference at virtual address 00000370
 printing eip:
c1114d53
*pde = 00000000
Oops: 0002 [#1]
Modules linked in:
CPU:    0
EIP:    0060:[<c1114d53>]    Not tainted VLI
EFLAGS: 00010286   (2.6.16 #1)
EIP is at cciss_init_one+0x4e9/0x4fe
eax: 00000000   ebx: c132cd60   ecx: c13154e4   edx: c27d3c00
esi: 00000000   edi: c2748800   ebp: c2536ee4   esp: c2536eb8
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30)
Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38
f7c74740
       c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04
c10c1d85
       c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000
c2536f28
Call Trace:
 [<c10031d5>] show_stack_log_lvl+0xa8/0xb0
 [<c1003305>] show_registers+0x102/0x16a
 [<c10034a2>] die+0xc1/0x13c
 [<c1288160>] do_page_fault+0x38a/0x525
 [<c1002e9b>] error_code+0x4f/0x54
 [<c10c1d51>] pci_call_probe+0xd/0x10
 [<c10c1d85>] __pci_device_probe+0x31/0x43
 [<c10c1db8>] pci_device_probe+0x21/0x34
 [<c110a654>] driver_probe_device+0x44/0x99
 [<c110a73f>] __driver_attach+0x39/0x5d
 [<c1109e1c>] bus_for_each_dev+0x35/0x5a
 [<c110a777>] driver_attach+0x14/0x16
 [<c110a220>] bus_add_driver+0x5c/0x8f
 [<c110ab22>] driver_register+0x73/0x78
 [<c10c1f6d>] __pci_register_driver+0x5f/0x71
 [<c13bf935>] cciss_init+0x1a/0x1c
 [<c13aa718>] do_initcalls+0x4c/0x96
 [<c13aa77e>] do_basic_setup+0x1c/0x1e
 [<c10002b1>] init+0x35/0x118
 [<c1000cf5>] kernel_thread_helper+0x5/0xb
Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de
40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 <c7> 80
70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3
 <0>Kernel panic - not syncing: Attempted to kill init!

Signed-off-by: Patrick McHardy <kaber@trash.net>
Cc: <mike.miller@hp.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-23 07:38:03 -08:00
..
aoe [PATCH] Add block_device_operations.getgeo block device method 2006-01-08 20:13:54 -08:00
paride [PATCH] Add block_device_operations.getgeo block device method 2006-01-08 20:13:54 -08:00
acsi_slm.c [PATCH] timer initialization cleanup: DEFINE_TIMER 2005-09-09 14:03:48 -07:00
acsi.c [PATCH] Add block_device_operations.getgeo block device method 2006-01-08 20:13:54 -08:00
amiflop.c [PATCH] m68k: kill mach_floppy_setup, convert to proper __setup() in drivers 2006-01-12 09:09:05 -08:00
ataflop.c [PATCH] m68k: kill mach_floppy_setup, convert to proper __setup() in drivers 2006-01-12 09:09:05 -08:00
cciss_cmd.h [PATCH] cciss: direct lookup for command completions 2005-09-13 08:22:30 -07:00
cciss_scsi.c [PATCH] cciss: adds MSI and MSI-X support 2006-01-08 20:14:00 -08:00
cciss_scsi.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
cciss.c [PATCH] cciss: fix use-after-free in cciss_init_one 2006-03-23 07:38:03 -08:00
cciss.h [PATCH] cciss: avoid defining useless MAJOR_NR macro 2006-01-08 20:14:09 -08:00
cpqarray.c [PATCH] drivers/block: Use ARRAY_SIZE macro 2006-01-08 20:14:08 -08:00
cpqarray.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
cryptoloop.c [CRYPTO]: Use CRYPTO_TFM_REQ_MAY_SLEEP where appropriate 2005-09-01 17:43:25 -07:00
DAC960.c [PATCH] dac960: add disk entropy in request completions 2006-03-08 14:15:04 -08:00
DAC960.h [PATCH] DAC960: add support for Mylex AcceleRAID 4/5/600 2005-05-05 16:36:43 -07:00
floppy.c remove unused LOCAL_END_REQUEST 2006-01-15 02:20:28 +01:00
ida_cmd.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ida_ioctl.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Kconfig [PATCH] pktcdvd: Don't waste kernel memory 2006-02-05 11:06:52 -08:00
loop.c [PATCH] regularize blk_cleanup_queue() use 2006-03-18 18:34:20 -05:00
Makefile [BLOCK] Move all core block layer code to new block/ directory 2005-11-04 08:43:35 +01:00
nbd.c [PATCH] nbd: remove duplicate assignment 2006-01-08 20:13:54 -08:00
pktcdvd.c [PATCH] regularize blk_cleanup_queue() use 2006-03-18 18:34:20 -05:00
ps2esdi.c [PATCH] Fix drivers/block/ps2esdi.c compile 2006-01-16 20:24:45 -08:00
rd.c [PATCH] add AOP_TRUNCATED_PAGE, prepend AOP_ to WRITEPAGE_ACTIVATE 2006-01-03 11:45:42 -08:00
smart1,2.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
swim3.c [PATCH] powerpc: Remove device_node addrs/n_addr 2006-01-09 14:53:55 +11:00
swim_iop.c [PATCH] drivers/block: fix-up schedule_timeout() usage 2005-09-10 10:06:38 -07:00
sx8.c Merge master.kernel.org:/pub/scm/linux/kernel/git/gregkh/pci-2.6 2006-01-09 18:41:42 -08:00
ub.c [PATCH] USB: ub 03 drop stall clearing 2006-03-20 14:50:00 -08:00
umem.c [PATCH] regularize blk_cleanup_queue() use 2006-03-18 18:34:20 -05:00
viodasd.c [PATCH] powerpc: remove bitfields from HvLpEvent 2006-01-12 20:09:29 +11:00
xd.c [PATCH] drivers/block: Use ARRAY_SIZE macro 2006-01-08 20:14:08 -08:00
xd.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
z2ram.c [PATCH] vfree and kfree cleanup in drivers/ 2005-09-10 10:06:30 -07:00