From: Tejun Heo <tj@kernel.org>
Date: Thu, 28 Feb 2013 01:04:04 +0000 (-0800)
Subject: firewire: add minor number range check to fw_device_init()
X-Git-Tag: v3.2.40~42
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=507b2ac935cfe53dbe3a61d61254154e4829c2e4;p=thirdparty%2Fkernel%2Fstable.git

firewire: add minor number range check to fw_device_init()

commit 3bec60d511179853138836ae6e1b61fe34d9235f upstream.

fw_device_init() didn't check whether the allocated minor number isn't
too large.  Fail if it goes overflows MINORBITS.

Signed-off-by: Tejun Heo <tj@kernel.org>
Suggested-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Acked-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
index f3b890da1e874..1f3dd5117ed35 100644
--- a/drivers/firewire/core-device.c
+++ b/drivers/firewire/core-device.c
@@ -995,6 +995,10 @@ static void fw_device_init(struct work_struct *work)
 	ret = idr_pre_get(&fw_device_idr, GFP_KERNEL) ?
 	      idr_get_new(&fw_device_idr, device, &minor) :
 	      -ENOMEM;
+	if (minor >= 1 << MINORBITS) {
+		idr_remove(&fw_device_idr, minor);
+		minor = -ENOSPC;
+	}
 	up_write(&fw_device_rwsem);
 
 	if (ret < 0)