[3.16.y-ckt stable] Patch "powerpc/powernv: Fix the overflow of OPAL message notifiers head array" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Fri Jan 15 18:23:46 UTC 2016 

This is a note to let you know that I have just added a patch titled

    powerpc/powernv: Fix the overflow of OPAL message notifiers head array

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt23.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

---8<------------------------------------------------------------

>From ae47a7c64df4b45ed475805eaaf2eef012e333cb Mon Sep 17 00:00:00 2001
From: Neelesh Gupta <neelegup at linux.vnet.ibm.com>
Date: Wed, 11 Feb 2015 11:57:06 +0530
Subject: powerpc/powernv: Fix the overflow of OPAL message notifiers head
 array

commit 792f96e9a769b799a2944e9369e4ea1e467135b2 upstream.

Fixes the condition check of incoming message type which can
otherwise shoot beyond the message notifiers head array.

Signed-off-by: Neelesh Gupta <neelegup at linux.vnet.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant at linux.vnet.ibm.com>
Reviewed-by: Anshuman Khandual <khandual at linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 arch/powerpc/platforms/powernv/opal.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
index 199975613fe9..d5e5794db989 100644
--- a/arch/powerpc/platforms/powernv/opal.c
+++ b/arch/powerpc/platforms/powernv/opal.c
@@ -286,16 +286,12 @@ void opal_notifier_disable(void)
 int opal_message_notifier_register(enum OpalMessageType msg_type,
 					struct notifier_block *nb)
 {
-	if (!nb) {
-		pr_warning("%s: Invalid argument (%p)\n",
-			   __func__, nb);
-		return -EINVAL;
-	}
-	if (msg_type > OPAL_MSG_TYPE_MAX) {
-		pr_warning("%s: Invalid message type argument (%d)\n",
+	if (!nb || msg_type >= OPAL_MSG_TYPE_MAX) {
+		pr_warning("%s: Invalid arguments, msg_type:%d\n",
 			   __func__, msg_type);
 		return -EINVAL;
 	}
+
 	return atomic_notifier_chain_register(
 				&opal_msg_notifier_head[msg_type], nb);
 }
@@ -332,7 +328,7 @@ static void opal_handle_message(void)
 	type = be32_to_cpu(msg.msg_type);

 	/* Sanity check */
-	if (type > OPAL_MSG_TYPE_MAX) {
+	if (type >= OPAL_MSG_TYPE_MAX) {
 		pr_warning("%s: Unknown message type: %u\n", __func__, type);
 		return;
 	}

More information about the kernel-team mailing list