Kernel fails to boot with some VIA KT266A chipsets. It gives the
message "Booting VMlinuz............." and the screen immediately blanks
out and freezes. Example motherboards where this happenned are
MSI-K7T266-Pro2(MS-6380), abit kr7a-raid.
The following is with respect to kernel-2.4.17 source tree.
In drivers/ide/ide-pci.c, in the definition of function
hpt366_device_order_fixup, the line:
pci_read_config_dword(dev, PCI_CLASS_REVISION, &class_rev);
reads class_rev and gets 5 on the abit kr7a-raid system.
Since the code is only prepared for 4 or less, the problem appears in the
subsequent line:
strcpy(d->name, chipset_names[class_rev]);
where chipset_names[class_rev]=chipset_names[5] attempts to access
an invalid array element, given that chipset_names[4] is the last valid
elelment.
After the lines
pci_read_config_dword(dev, PCI_CLASS_REVISION, &class_rev);
class_rev &= 0xff;
adding these two check lines solves the boot problem:
if( class_rev >= (sizeof(chipset_names)/sizeof(char *)) ) {
class_rev = (sizeof(chipset_names)/sizeof(char *)) - 1;
}
The same problem exists for drivers/ide/hpt366.c and needs the same
fix. So after the lines
pci_read_config_dword(bmide_dev, PCI_CLASS_REVISION, &class_rev);
class_rev &= 0xff;
these two lines must be added:
if( class_rev >= (sizeof(chipset_names)/sizeof(char *)) ) {
class_rev = (sizeof(chipset_names)/sizeof(char *)) - 1;
}
Also, in drivers/ide/ide-pci.c, in the definition of function
hpt366_device_order_fixup, the line:
strcpy(d->name, chipset_names[class_rev]);
would (for a test case) copy a 7 char string "HPT370A" into and over the
string "HPT366" destroying the terminating null byte. What this may lead
to is unknown but has been fixed by replacing this statement by a strncpy:
/* DON'T COPY 7 CHARS (HPT370A) OVER 6 CHARS (HPT366) */
strncpy(d->name, chipset_names[class_rev], strlen(d->name));
KERNEL VERSIONS AFFECTED
The following kernels are known to have this bug ->
2.4.8 (mandrake-8.1)
2.4.7 (redhat-7.2)
2.4.17
AFFECTED FILES
drivers/ide/ide-pci.c
drivers/ide/hpt366.c
More files may be affected. I could look into this as soon as the
developers get back with a response.
The bug and a possible fix are described in
http://forums.viaarena.com/messageview.cfm?catid=6&threadid=2258
thanks
- Nil
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/