commit 127c03cdbad9bd5af5d7f33bd31a1015a90cb77f upstream. NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in pcmcia_setup_isa_irq():
static u8 pcmcia_used_irq[NR_IRQS]; ... if ((try < 32) && pcmcia_used_irq[irq]) continue; This is read-only, so if this address would be non-zero, it would just mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway! And as request_irq() fails for an irq >= NR_IRQS, the setting code path: pcmcia_used_irq[irq]++; is never reached as well. Reported-by: Christoph Fritz <chf.fr...@googlemail.com> Signed-off-by: Dominik Brodowski <li...@dominikbrodowski.net> Signed-off-by: Christoph Fritz <chf.fr...@googlemail.com> --- Note: a similar patch is already queued for 2.6.35.2. This patch applies to 2.6.34 and all other previous stable kernels still maintained. diff --git a/drivers/pcmcia/pcmcia_resource.c b/drivers/pcmcia/pcmcia_resource.c index 7c3d03b..cfcf868 100644 --- a/drivers/pcmcia/pcmcia_resource.c +++ b/drivers/pcmcia/pcmcia_resource.c @@ -41,7 +41,7 @@ module_param(io_speed, int, 0444); #ifdef CONFIG_PCMCIA_PROBE #include <asm/irq.h> /* mask of IRQs already reserved by other cards, we should avoid using them */ -static u8 pcmcia_used_irq[NR_IRQS]; +static u8 pcmcia_used_irq[32]; #endif static int pcmcia_adjust_io_region(struct resource *res, unsigned long start, @@ -768,6 +768,9 @@ int pcmcia_request_irq(struct pcmcia_device *p_dev, irq_req_t *req) for (try = 0; try < 64; try++) { irq = try % 32; + if (irq > NR_IRQS) + continue; + /* marked as available by driver, and not blocked by userspace? */ if (!((mask >> irq) & 1)) continue; _______________________________________________ Linux PCMCIA reimplementation list http://lists.infradead.org/mailman/listinfo/linux-pcmcia