aha/drivers
Andy Isaacson bed31ed9e1 [PATCH] fix read past end of array in md/linear.c
When iterating through an array, one must be careful to test one's index
variable rather than another similarly-named variable.

The loop will read off the end of conf->disks[] in the following
(pathological) case:

  % dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1
  % for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done
  % ./vmlinux ubd0=root ubd1=d1 ubd2=d2 ubd3=d3 ubd4=d4
  # mdadm -C /dev/md0 --level=linear --raid-devices=4 /dev/ubd[1234]

adding some printks, I saw this:

  [42949374.960000] hash_spacing = 821120
  [42949374.960000] cnt          = 4
  [42949374.960000] min_spacing  = 801
  [42949374.960000] j=0 size=820928 sz=820928
  [42949374.960000] i=0 sz=820928 hash_spacing=820928
  [42949374.960000] j=1 size=64 sz=64
  [42949374.960000] j=2 size=64 sz=128
  [42949374.960000] j=3 size=64 sz=192
  [42949374.960000] j=4 size=1515870810 sz=1515871002

Cc: Gautham R Shenoy <ego@in.ibm.com>
Acked-by: Neil Brown <neilb@cse.unsw.edu.au>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-03-16 19:25:03 -07:00
..
acorn [ARM] Acorn: move the i2c bus driver into drivers/i2c 2007-03-04 20:40:50 +00:00
acpi [PATCH] misc NULL noise 2007-03-14 15:27:49 -07:00
amba
ata [PATCH] trivial ATA iomem annotations 2007-03-14 15:27:50 -07:00
atm [PATCH] zatm __init abuse 2007-03-14 15:27:49 -07:00
auxdisplay
base [PATCH] sysfs and driver core: add callback helper, used by SCSI and S390 2007-03-15 15:29:26 -07:00
block [PATCH] paride endianness annotations 2007-03-14 15:27:50 -07:00
bluetooth
cdrom [PATCH] Fix soft lockup with iSeries viocd driver 2007-03-05 07:57:51 -08:00
char Merge master.kernel.org:/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog 2007-03-14 15:28:31 -07:00
clocksource [PATCH] clocksource init adjustments (fix bug #7426) 2007-03-05 07:57:53 -08:00
connector [CONNECTOR]: Bugfix for cn_call_callback() 2007-03-07 16:08:08 -08:00
cpufreq
crypto [PATCH] geode-aes: use unsigned long for spin_lock_irqsave 2007-03-06 09:30:25 -08:00
dio
dma
edac
eisa
fc4
firmware
hid Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jikos/hid 2007-03-15 10:50:54 -07:00
hwmon
i2c [ARM] Acorn: move the i2c bus driver into drivers/i2c 2007-03-04 20:40:50 +00:00
ide [PATCH] BLK_DEV_IDE_CELLEB dependency fix 2007-03-14 15:27:49 -07:00
ieee1394
infiniband [PATCH] fix ipath_dma_free_coherent() prototype 2007-03-14 15:27:49 -07:00
input Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/dtor/input 2007-03-08 07:28:30 -08:00
isdn [PATCH] Fix buffer overflow and races in capi debug functions 2007-03-01 14:53:39 -08:00
kvm KVM: Move kvmfs magic number to <linux/magic.h> 2007-03-04 11:12:43 +02:00
leds
macintosh
mca
md [PATCH] fix read past end of array in md/linear.c 2007-03-16 19:25:03 -07:00
media [PATCH] misc NULL noise 2007-03-14 15:27:49 -07:00
message
mfd
misc asus-laptop: make code static 2007-03-09 21:06:40 -05:00
mmc [ARM] 4256/1: i.MX/MX1 SDHC fix/workaround of SD card recognition problems 2007-03-12 16:49:37 +00:00
mtd [MTD] [OneNAND] Classify the page data and oob buffer 2007-03-09 08:08:09 +00:00
net natsemi: Avoid IntrStatus lossage if RX state machine resets. 2007-03-15 10:59:54 -04:00
nubus
oprofile
parisc
parport
pci [PATCH] pci: Repair pci_save/restore_state so we can restore one save many times. 2007-03-12 16:31:50 -07:00
pcmcia
pnp [PATCH] reduce pnp syslog spam 2007-03-16 19:25:02 -07:00
ps3 [PATCH] C99 initializers, proper use of const in drivers/ps3 2007-03-14 15:27:50 -07:00
rapidio
rtc [ARM] rtc-pcf8583: Final fixes for this RTC on RiscPC 2007-03-04 20:33:07 +00:00
s390 [PATCH] sysfs and driver core: add callback helper, used by SCSI and S390 2007-03-15 15:29:26 -07:00
sbus
scsi [PATCH] sysfs and driver core: add callback helper, used by SCSI and S390 2007-03-15 15:29:26 -07:00
serial [PATCH] 2.6 Altix: console fix for CONFIG_DEBUG_SHIRQ usage 2007-03-08 07:39:15 -08:00
sh
sn
spi
tc
telephony
usb Revert "USB: pxa2xx_udc: fix hardcoded irq number" 2007-03-10 14:22:07 -08:00
video [PATCH] misc NULL noise 2007-03-14 15:27:49 -07:00
w1
zorro
Kconfig
Makefile