From: Chris Wright <chrisw@sous-sol.org>
Date: Tue, 16 May 2006 23:21:05 +0000 (-0700)
Subject: scx200_acb fix resource name use after free, from Jean Delvare
X-Git-Tag: v2.6.16.17~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c224b7f33dd30c599666b5b4233fc43f04597169;p=thirdparty%2Fkernel%2Fstable-queue.git

scx200_acb fix resource name use after free, from Jean Delvare
---

diff --git a/queue-2.6.16/scx200_acb-fix-resource-name-use-after-free.patch b/queue-2.6.16/scx200_acb-fix-resource-name-use-after-free.patch
new file mode 100644
index 00000000000..9c0c8d25785
--- /dev/null
+++ b/queue-2.6.16/scx200_acb-fix-resource-name-use-after-free.patch
@@ -0,0 +1,40 @@
+From stable-bounces@linux.kernel.org  Sat May 13 02:21:24 2006
+Date: Sat, 13 May 2006 11:17:37 +0200
+From: Jean Delvare <khali@linux-fr.org>
+To: stable@kernel.org
+Cc: 
+Subject: [PATCH] scx200_acb: Fix resource name use after free
+
+We can't pass a string on the stack to request_region. As soon as we
+leave the function that stack is gone and the string is lost. Let's
+use the same string we identify the i2c_adapter with instead, it's
+more simple, more consistent, and just works.
+
+This is the second half of fix to bug #6445.
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ drivers/i2c/busses/scx200_acb.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- linux-2.6.16.16.orig/drivers/i2c/busses/scx200_acb.c
++++ linux-2.6.16.16/drivers/i2c/busses/scx200_acb.c
+@@ -440,7 +440,6 @@ static int  __init scx200_acb_create(int
+ 	struct scx200_acb_iface *iface;
+ 	struct i2c_adapter *adapter;
+ 	int rc = 0;
+-	char description[64];
+ 
+ 	iface = kzalloc(sizeof(*iface), GFP_KERNEL);
+ 	if (!iface) {
+@@ -459,8 +458,7 @@ static int  __init scx200_acb_create(int
+ 
+ 	init_MUTEX(&iface->sem);
+ 
+-	snprintf(description, sizeof(description), "NatSemi SCx200 ACCESS.bus [%s]", adapter->name);
+-	if (request_region(base, 8, description) == 0) {
++	if (!request_region(base, 8, adapter->name)) {
+ 		dev_err(&adapter->dev, "can't allocate io 0x%x-0x%x\n",
+ 			base, base + 8-1);
+ 		rc = -EBUSY;
diff --git a/queue-2.6.16/series b/queue-2.6.16/series
index dabbccd25cd..4a9c20703b4 100644
--- a/queue-2.6.16/series
+++ b/queue-2.6.16/series
@@ -5,3 +5,4 @@ fs-locks.c-Fix-sys_flock-race.patch
 smbfs-fix-slab-corruption-in-samba-error-path.patch
 fs-compat.c-fix-if-typo.patch
 smbus-unhiding-kills-thermal-management.patch
+scx200_acb-fix-resource-name-use-after-free.patch