projects
/
openwrt
/
svn-archive
/
archive.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
4cc1bf6
)
brcm63xx: brcm63xxpart: fix buffer overrun in of parser
author
Jonas Gorski
<jogo@openwrt.org>
Sun, 15 Mar 2015 14:19:22 +0000
(14:19 +0000)
committer
Jonas Gorski
<jogo@openwrt.org>
Sun, 15 Mar 2015 14:19:22 +0000
(14:19 +0000)
We never account for the added partitions from the tag parser, so
allocated two partioness less than needed. This can cause issues when
the memory gets reused before the mtd code can actually add the
partitions.
Fixes oopses like:
[ 0.920000] mtd: device 2 (rootfs) set to be root filesystem
[ 0.924000] 1 squashfs-split partitions found on MTD device rootfs
[ 0.932000] 0x0000002e0000-0x0000003f0000 : "rootfs_data"
[ 0.940000] 0x000000010000-0x0000003f0000 : "linux"
[ 0.948000] CPU 0 Unable to handle kernel paging request at virtual address
00010203
, epc ==
8028ddf8
, ra ==
801ad5d4
[ 0.956000] Oops[#1]:
[ 0.956000] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.18.8 #22
[ 0.956000] task:
8181da78
ti:
8181e000
task.ti:
8181e000
[ 0.956000] $ 0 :
00000000
10008f00
00010203
81049e40
[ 0.956000] $ 4 :
00010203
000000d0
00000000
000000fd
[ 0.956000] $ 8 :
00000000
80015490
00000000
80370000
[ 0.956000] $12 :
00000000
00000001
00000000
2f736269
[ 0.956000] $16 :
00010203
000000d0
8007bde0
81482000
[ 0.956000] $20 :
00000000
00000004
81481f80
803c4b78
[ 0.956000] $24 :
00000000
00000000
[ 0.956000] $28 :
8181e000
8181fbe8
80b20000
801ad5d4
[ 0.956000] Hi :
00000000
[ 0.956000] Lo :
00000000
[ 0.956000] epc :
8028ddf8
strlen+0x4/0x20
[ 0.956000] Not tainted
[ 0.956000] ra :
801ad5d4
kstrdup+0x30/0x84
[ 0.956000] Status:
10008f03
KERNEL EXL IE
[ 0.956000] Cause :
00800008
[ 0.956000] BadVA :
00010203
[ 0.956000] PrId :
0002a010
(Broadcom BMIPS4350)
[ 0.956000] Modules linked in:
[ 0.956000] Process swapper/0 (pid: 1, threadinfo=
8181e000
, task=
8181da78
, tls=
00000000
)
[ 0.956000] Stack :
8148aa00
803c4bcc
00000000
801cd9d0
00000000
8148a400
818a1400
003f0000
81482000
8007bde0
8148aa00
800ac78c
8148aa00
00000004
8037ae30
8181fc4c
8148aa00
803bc074
803c0000
80074b84
00000000
00010000
00000004
ffffffff
8037ae30
00000004
8148aa00
00000004
803c4b80
818a1400
803c0000
00000005
81481f80
80074ce0
8181fc84
00000005
81879800
8008ece4
00000000
003f0000
...
[ 0.956000] Call Trace:
[ 0.956000] [<
8028ddf8
>] strlen+0x4/0x20
[ 0.956000] [<
801ad5d4
>] kstrdup+0x30/0x84
[ 0.956000] [<
8007bde0
>] allocate_partition+0x58/0x93c
[ 0.956000] [<
80074ce0
>] add_mtd_partitions+0x90/0x144
[ 0.956000] [<
801cc228
>] mtd_device_parse_register+0x78/0xcc
[ 0.956000] [<
801e7870
>] of_flash_probe+0x658/0x728
[ 0.956000] [<
80216ee0
>] platform_drv_probe+0x24/0x60
[ 0.956000] [<
801221f4
>] driver_probe_device+0xcc/0x214
[ 0.956000] [<
800466f8
>] __driver_attach+0x7c/0xb4
[ 0.956000] [<
800c38bc
>] bus_for_each_dev+0x94/0xa4
[ 0.956000] [<
800c35e4
>] bus_add_driver+0x104/0x1ec
[ 0.956000] [<
80122400
>] driver_register+0xac/0x100
[ 0.956000] [<
80113a5c
>] do_one_initcall+0x148/0x204
[ 0.956000] [<
803cbd1c
>] kernel_init_freeable+0x168/0x220
[ 0.956000] [<
800157bc
>] kernel_init+0x10/0x114
[ 0.956000] [<
800108a8
>] ret_from_kernel_thread+0x14/0x1c
[ 0.956000]
[ 0.956000]
Code:
03e00008
27bd0028
00801021
<
80430000
>
10600003
00000000
080a377e
24420001
03e00008
[ 1.192000] ---[ end trace
9d89ccbcae27fe40
]---
[ 1.200000] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 1.200000]
[ 1.200000] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 44787
target/linux/brcm63xx/patches-3.14/425-bcm63xxpart_parse_paritions_from_dt.patch
patch
|
blob
|
history
target/linux/brcm63xx/patches-3.18/425-bcm63xxpart_parse_paritions_from_dt.patch
patch
|
blob
|
history
diff --git
a/target/linux/brcm63xx/patches-3.14/425-bcm63xxpart_parse_paritions_from_dt.patch
b/target/linux/brcm63xx/patches-3.14/425-bcm63xxpart_parse_paritions_from_dt.patch
index 7f3890eb0a717d566ba6cd7f256fe412e3d57b33..53fc4c5d23089fc902c27ba162b56e395c1d2f27 100644
(file)
--- a/
target/linux/brcm63xx/patches-3.14/425-bcm63xxpart_parse_paritions_from_dt.patch
+++ b/
target/linux/brcm63xx/patches-3.14/425-bcm63xxpart_parse_paritions_from_dt.patch
@@
-109,7
+109,7
@@
}
} else {
pr_warn("CFE boot tag CRC invalid (expected %08x, actual %08x)\n",
}
} else {
pr_warn("CFE boot tag CRC invalid (expected %08x, actual %08x)\n",
-@@ -139,16 +108,1
45
@@ static int bcm63xx_parse_cfe_partitions(
+@@ -139,16 +108,1
53
@@ static int bcm63xx_parse_cfe_partitions(
kernellen = 0;
rootfslen = 0;
rootfsaddr = 0;
kernellen = 0;
rootfslen = 0;
rootfsaddr = 0;
@@
-165,6
+165,16
@@
+ if (node_has_compatible(pp))
+ continue;
+
+ if (node_has_compatible(pp))
+ continue;
+
++ if (!of_get_property(pp, "reg", &len))
++ continue;
++
++ partname = of_get_property(pp, "label", &len);
++ if (!partname)
++ partname = of_get_property(pp, "name", &len);
++
++ if (!strcmp(partname, "linux"))
++ nr_parts += 2;
++
+ nr_parts++;
+ }
+
+ nr_parts++;
+ }
+
@@
-182,10
+192,8
@@
+ continue;
+
+ reg = of_get_property(pp, "reg", &len);
+ continue;
+
+ reg = of_get_property(pp, "reg", &len);
-+ if (!reg) {
-+ nr_parts--;
++ if (!reg)
+ continue;
+ continue;
-+ }
+
+ a_cells = of_n_addr_cells(pp);
+ s_cells = of_n_size_cells(pp);
+
+ a_cells = of_n_addr_cells(pp);
+ s_cells = of_n_size_cells(pp);
@@
-262,7
+270,7
@@
if (caldatalen1 > 0)
nrparts++;
if (caldatalen1 > 0)
nrparts++;
-@@ -158,10 +2
56
,8 @@ static int bcm63xx_parse_cfe_partitions(
+@@ -158,10 +2
64
,8 @@ static int bcm63xx_parse_cfe_partitions(
/* Ask kernel for more memory */
parts = kzalloc(sizeof(*parts) * nrparts + 10 * nrparts, GFP_KERNEL);
/* Ask kernel for more memory */
parts = kzalloc(sizeof(*parts) * nrparts + 10 * nrparts, GFP_KERNEL);
@@
-274,7
+282,7
@@
/* Start building partition list */
parts[curpart].name = "CFE";
/* Start building partition list */
parts[curpart].name = "CFE";
-@@ -169,29 +2
65
,7 @@ static int bcm63xx_parse_cfe_partitions(
+@@ -169,29 +2
73
,7 @@ static int bcm63xx_parse_cfe_partitions(
parts[curpart].size = cfelen;
curpart++;
parts[curpart].size = cfelen;
curpart++;
@@
-305,7
+313,7
@@
if (caldatalen1 > 0) {
if (caldatalen2 > 0)
if (caldatalen1 > 0) {
if (caldatalen2 > 0)
-@@ -217,25 +29
1
,33 @@ static int bcm63xx_parse_cfe_partitions(
+@@ -217,25 +29
9
,33 @@ static int bcm63xx_parse_cfe_partitions(
/* Global partition "linux" to make easy firmware upgrade */
parts[curpart].name = "linux";
/* Global partition "linux" to make easy firmware upgrade */
parts[curpart].name = "linux";
diff --git
a/target/linux/brcm63xx/patches-3.18/425-bcm63xxpart_parse_paritions_from_dt.patch
b/target/linux/brcm63xx/patches-3.18/425-bcm63xxpart_parse_paritions_from_dt.patch
index 7f3890eb0a717d566ba6cd7f256fe412e3d57b33..53fc4c5d23089fc902c27ba162b56e395c1d2f27 100644
(file)
--- a/
target/linux/brcm63xx/patches-3.18/425-bcm63xxpart_parse_paritions_from_dt.patch
+++ b/
target/linux/brcm63xx/patches-3.18/425-bcm63xxpart_parse_paritions_from_dt.patch
@@
-109,7
+109,7
@@
}
} else {
pr_warn("CFE boot tag CRC invalid (expected %08x, actual %08x)\n",
}
} else {
pr_warn("CFE boot tag CRC invalid (expected %08x, actual %08x)\n",
-@@ -139,16 +108,1
45
@@ static int bcm63xx_parse_cfe_partitions(
+@@ -139,16 +108,1
53
@@ static int bcm63xx_parse_cfe_partitions(
kernellen = 0;
rootfslen = 0;
rootfsaddr = 0;
kernellen = 0;
rootfslen = 0;
rootfsaddr = 0;
@@
-165,6
+165,16
@@
+ if (node_has_compatible(pp))
+ continue;
+
+ if (node_has_compatible(pp))
+ continue;
+
++ if (!of_get_property(pp, "reg", &len))
++ continue;
++
++ partname = of_get_property(pp, "label", &len);
++ if (!partname)
++ partname = of_get_property(pp, "name", &len);
++
++ if (!strcmp(partname, "linux"))
++ nr_parts += 2;
++
+ nr_parts++;
+ }
+
+ nr_parts++;
+ }
+
@@
-182,10
+192,8
@@
+ continue;
+
+ reg = of_get_property(pp, "reg", &len);
+ continue;
+
+ reg = of_get_property(pp, "reg", &len);
-+ if (!reg) {
-+ nr_parts--;
++ if (!reg)
+ continue;
+ continue;
-+ }
+
+ a_cells = of_n_addr_cells(pp);
+ s_cells = of_n_size_cells(pp);
+
+ a_cells = of_n_addr_cells(pp);
+ s_cells = of_n_size_cells(pp);
@@
-262,7
+270,7
@@
if (caldatalen1 > 0)
nrparts++;
if (caldatalen1 > 0)
nrparts++;
-@@ -158,10 +2
56
,8 @@ static int bcm63xx_parse_cfe_partitions(
+@@ -158,10 +2
64
,8 @@ static int bcm63xx_parse_cfe_partitions(
/* Ask kernel for more memory */
parts = kzalloc(sizeof(*parts) * nrparts + 10 * nrparts, GFP_KERNEL);
/* Ask kernel for more memory */
parts = kzalloc(sizeof(*parts) * nrparts + 10 * nrparts, GFP_KERNEL);
@@
-274,7
+282,7
@@
/* Start building partition list */
parts[curpart].name = "CFE";
/* Start building partition list */
parts[curpart].name = "CFE";
-@@ -169,29 +2
65
,7 @@ static int bcm63xx_parse_cfe_partitions(
+@@ -169,29 +2
73
,7 @@ static int bcm63xx_parse_cfe_partitions(
parts[curpart].size = cfelen;
curpart++;
parts[curpart].size = cfelen;
curpart++;
@@
-305,7
+313,7
@@
if (caldatalen1 > 0) {
if (caldatalen2 > 0)
if (caldatalen1 > 0) {
if (caldatalen2 > 0)
-@@ -217,25 +29
1
,33 @@ static int bcm63xx_parse_cfe_partitions(
+@@ -217,25 +29
9
,33 @@ static int bcm63xx_parse_cfe_partitions(
/* Global partition "linux" to make easy firmware upgrade */
parts[curpart].name = "linux";
/* Global partition "linux" to make easy firmware upgrade */
parts[curpart].name = "linux";