Hi,
buffer overflow in next-tree's commit 6f0f38c45a8f2f511c25893e33011ff32fc811db:
size of array pcmcia_used_irq[] can be less than 32
in drivers/pcmcia/pcmcia_resource.c
+static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
+{
[..]
+ for (try = 0; try < 64; try++) {
+ irq = try % 32;
[..]
+
+ /* avoid an IRQ which is already used by another PCMCIA card */
+ if ((try < 32) && pcmcia_used_irq[irq])
+ continue;
drivers/pcmcia/pcmcia_resource.c
static u8 pcmcia_used_irq[NR_IRQS];
arch/x86/include/asm/irq_vectors.h
#define NR_IRQS_LEGACY 16
[..]
#else /* !CONFIG_X86_IO_APIC: */
# define NR_IRQS NR_IRQS_LEGACY
#endif
---
non-tested fix:
---
diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c
index d48437f..f8363e6 100644
--- a/drivers/pcmcia/pcmcia_resource.c
+++ b/drivers/pcmcia/pcmcia_resource.c
@@ -697,15 +697,15 @@ static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
u32 mask = s->irq_mask;
int ret = -ENODEV;
- for (try = 0; try < 64; try++) {
- irq = try % 32;
+ for (try = 0; try < (NR_IRQS * 2); try++) {
+ irq = try % NR_IRQS;
/* marked as available by driver, not blocked by userspace? */
if (!((mask >> irq) & 1))
continue;
/* avoid an IRQ which is already used by another PCMCIA card */
- if ((try < 32) && pcmcia_used_irq[irq])
+ if ((try < NR_IRQS) && pcmcia_used_irq[irq])
continue;
/* register the correct driver, if possible, to check whether
--
To unsubscribe from this list: send the line "unsubscribe linux-next" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
