summaryrefslogtreecommitdiffstats
path: root/drivers/macintosh
diff options
context:
space:
mode:
authorFinn Thain <fthain@telegraphics.com.au>2017-01-01 01:56:26 +0100
committerMichael Ellerman <mpe@ellerman.id.au>2017-02-07 06:56:20 +0100
commitcfbf99801bcaf8398492ebc16af72259ad7aa146 (patch)
tree894246ad083181307bfde948e0ab41b2cc75b3da /drivers/macintosh
parentvia-cuda: Prevent read buffer overflow (diff)
downloadlinux-cfbf99801bcaf8398492ebc16af72259ad7aa146.tar.xz
linux-cfbf99801bcaf8398492ebc16af72259ad7aa146.zip
via-cuda: Fix re-initialization of reply_ptr and reading_reply
When reading_reply is set, reply_ptr points into an adb_request struct. Conversely, when reply_ptr instead points into the global cuda_rbuf, reading_reply must be false. Unfortunately, this rule can be violated because re-initialization of reply_ptr and reading_reply presently depends on the TREQ input. Fix this by re-initializing reply_ptr and reading_reply as soon as they are known to be invalid. Tested-by: Stan Johnson <userm57@yahoo.com> Signed-off-by: Finn Thain <fthain@telegraphics.com.au> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Diffstat (limited to 'drivers/macintosh')
-rw-r--r--drivers/macintosh/via-cuda.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/macintosh/via-cuda.c b/drivers/macintosh/via-cuda.c
index 1cf1467cf6e5..ae3da6b95229 100644
--- a/drivers/macintosh/via-cuda.c
+++ b/drivers/macintosh/via-cuda.c
@@ -592,6 +592,7 @@ cuda_interrupt(int irq, void *arg)
}
current_req = req->next;
complete = 1;
+ reading_reply = 0;
} else {
/* This is tricky. We must break the spinlock to call
* cuda_input. However, doing so means we might get
@@ -603,11 +604,10 @@ cuda_interrupt(int irq, void *arg)
ibuf_len = reply_ptr - cuda_rbuf;
memcpy(ibuf, cuda_rbuf, ibuf_len);
}
+ reply_ptr = cuda_rbuf;
if (TREQ_asserted(status)) {
assert_TIP();
cuda_state = reading;
- reply_ptr = cuda_rbuf;
- reading_reply = 0;
} else {
cuda_state = idle;
cuda_start();