Comment 12 for bug 1386973
Revision history for this message
| Federico Tello Gentile (federicotg) wrote | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
https:/
Quote:
[linux] Infinite loop in pci_get_rom_size()
This is one of those issues that you find when putting supposedly stable code through unusual situations. I did expect any function in linux that is not part of radeon.ko to not be rock solid. Turns out that's not really the case.
If we have a PCIR structure with a zero size length, the loop iterating through those structure does not advance. It simply does "image += readw(pds + 16) * 512;", but if that field is zero we're back analyzing the same structure on the next loop. The way to get out of this loop is to set bit 7 of the type field. That's what 'last_image' does. If that bit is not set, with the above, that's an infinite loop.
Luckily, it doesn't crash the kernel, but it hangs any driver that calls the function under said circumstances. No more modprobe -r or unbinding. Reboot is needed. No idea why a firmware blob here is treated as trusted input.