[PATCH] validate_mem uses uninitialized memory

Pavel Roskin proski at gnu.org
Mon Apr 21 13:46:32 BST 2003 

Hello, Russell!

If I compile a recent 2.5.x kernel without CONFIG_ISA defined, I get an
oops in validate_mem().  Stack trace contains 0x6b6b6b6 - a clear sign
that freed memory is being accessed:

*pde = 00000000
Oops: 0000 [#1]
CPU:    0
EIP:    0060:[<c88edef0>]    Not tainted
EFLAGS: 00010a83
EIP is at validate_mem+0x70/0xb0 [pcmcia_core]
eax: 00000000   ebx: 6b6b6b6b   ecx: 00000001   edx: c02fd078
esi: c551a000   edi: c551a000   ebp: c4a15a10   esp: c4a159fc
ds: 007b   es: 007b   ss: 0068
Process cardmgr (pid: 1096, threadinfo=c4a14000 task=c62bc120)
Stack: 000c0000 00000000 c551a000 0000c001 c551a03c c4a15a3c c88eb11a c551a000
       00000000 00000000 c4a15a30 c0147721 c4b77ebc 00000002 c4a15ac2 c4a15ac2
       c4a15a70 c88eb359 c551a000 00000000 00000021 00000021 00000000 00000002
Call Trace:
 [<c88eb11a>] set_cis_map+0x9a/0x110 [pcmcia_core]
 [<c0147721>] wake_up_buffer+0x11/0x30
 [<c88eb359>] read_cis_mem+0x1c9/0x250 [pcmcia_core]
 [<c88eb78b>] read_cis_cache+0x17b/0x1c0 [pcmcia_core]
 [<c88ebd5c>] pcmcia_get_next_tuple+0x9c/0x2b0 [pcmcia_core]
 [<c88eba75>] pcmcia_get_first_tuple+0xb5/0x160 [pcmcia_core]

It's the second validate_mem() in drivers/pcmcia/rsrc_mgr.c - the one used
when CONFIG_PCMCIA_PROBE is not defined.  It turns out the memory is freed
in do_mem_probe() when it's called from validate_mem().

The solution is to use the same trick as in the first validate_mem().
This problem is quite serious and it's not specific to the plx9052 driver.
I see it with yenta_socket as well.

Here's the patch:

===============================
--- linux.orig/drivers/pcmcia/rsrc_mgr.c
+++ linux/drivers/pcmcia/rsrc_mgr.c
@@ -499,14 +499,16 @@ void validate_mem(socket_info_t *s)

 void validate_mem(socket_info_t *s)
 {
-    resource_map_t *m;
+    resource_map_t *m, *n;
     static int done = 0;

     if (probe_mem && done++ == 0) {
 	down(&rsrc_sem);
-	for (m = mem_db.next; m != &mem_db; m = m->next)
+	for (m = mem_db.next; m != &mem_db; m = n) {
+	    n = m->next;
 	    if (do_mem_probe(m->base, m->num, s))
 		break;
+	}
 	up(&rsrc_sem);
     }
 }
===============================

-- 
Regards,
Pavel Roskin

More information about the linux-pcmcia mailing list