diff options
author | Finn Thain <fthain@telegraphics.com.au> | 2017-01-01 01:56:26 +0100 |
---|---|---|
committer | Michael Ellerman <mpe@ellerman.id.au> | 2017-02-07 06:56:20 +0100 |
commit | cfbf99801bcaf8398492ebc16af72259ad7aa146 (patch) | |
tree | 894246ad083181307bfde948e0ab41b2cc75b3da /drivers/macintosh | |
parent | via-cuda: Prevent read buffer overflow (diff) | |
download | linux-cfbf99801bcaf8398492ebc16af72259ad7aa146.tar.xz linux-cfbf99801bcaf8398492ebc16af72259ad7aa146.zip |
via-cuda: Fix re-initialization of reply_ptr and reading_reply
When reading_reply is set, reply_ptr points into an adb_request struct.
Conversely, when reply_ptr instead points into the global cuda_rbuf,
reading_reply must be false.
Unfortunately, this rule can be violated because re-initialization
of reply_ptr and reading_reply presently depends on the TREQ input.
Fix this by re-initializing reply_ptr and reading_reply as soon as they
are known to be invalid.
Tested-by: Stan Johnson <userm57@yahoo.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Diffstat (limited to 'drivers/macintosh')
-rw-r--r-- | drivers/macintosh/via-cuda.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/macintosh/via-cuda.c b/drivers/macintosh/via-cuda.c index 1cf1467cf6e5..ae3da6b95229 100644 --- a/drivers/macintosh/via-cuda.c +++ b/drivers/macintosh/via-cuda.c @@ -592,6 +592,7 @@ cuda_interrupt(int irq, void *arg) } current_req = req->next; complete = 1; + reading_reply = 0; } else { /* This is tricky. We must break the spinlock to call * cuda_input. However, doing so means we might get @@ -603,11 +604,10 @@ cuda_interrupt(int irq, void *arg) ibuf_len = reply_ptr - cuda_rbuf; memcpy(ibuf, cuda_rbuf, ibuf_len); } + reply_ptr = cuda_rbuf; if (TREQ_asserted(status)) { assert_TIP(); cuda_state = reading; - reply_ptr = cuda_rbuf; - reading_reply = 0; } else { cuda_state = idle; cuda_start(); |