staging: unisys: fix random memory corruption in visorchannel_write()

visorchannel_write() and it's user visorbus_write_channel() are
exported, so all visorbus function drivers (i.e., drivers that call
visorbus_register_visor_driver()) are potentially affected by the bug.

Because of pointer-arithmetic rules, the address being written to in the
affected code was actually at byte offset:

    sizeof(struct channel_header) * offset

instead of just <offset> bytes as intended.

The bug could cause some very difficult-to-diagnose symptoms.  The
particular problem that led me on this chase was a kernel fault that
would occur during 'insmod visornic' after a previous 'rmmod visornic',
where we would fault during netdev_register_kobject() within
pm_runtime_set_memalloc_noio() while traversing a device list, which
occurred because dev->parent for the visorbus device had become
corrupted.

Fixes: 0abb60c1c ('staging: unisys: visorchannel_write(): Handle...')
Signed-off-by: Tim Sell <Timothy.Sell@unisys.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Signed-off-by: Benjamin Romer <benjamin.romer@unisys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 2 insertions, 1 deletions

diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
index 20b63496e9f2..af349c8a3693 100644
--- a/drivers/staging/unisys/visorbus/visorchannel.c
+++ b/drivers/staging/unisys/visorbus/visorchannel.c
@@ -259,7 +259,8 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
 
 	if (offset < chdr_size) {
 		copy_size = min(chdr_size - offset, nbytes);
-		memcpy(&channel->chan_hdr + offset, local, copy_size);
+		memcpy(((char *)(&channel->chan_hdr)) + offset,
+		       local, copy_size);
 	}
 
 	memcpy_toio(channel->mapped + offset, local, nbytes);