Re: [PATCH 2/5] I2O: SPARC fixes
From: Al Viro
Date: Sun Nov 20 2005 - 18:21:38 EST
On Sun, Nov 20, 2005 at 11:07:14PM +0000, Al Viro wrote:
> And here's another fun one:
> evt->size = size;
> evt->tcntxt = le32_to_cpu(msg->u.s.tcntxt);
> evt->event_indicator = le32_to_cpu(msg->body[0]);
> memcpy(&evt->tcntxt, &msg->u.s.tcntxt, size * 4);
> in i2o_driver_dispatch().
Gaaack... Old code used to be
evt = kmalloc(size * 4 + sizeof(*evt), GFP_ATOMIC);
if (!evt)
return -ENOMEM;
memset(evt, 0, size * 4 + sizeof(*evt));
evt->size = size;
memcpy_fromio(&evt->tcntxt, &msg->u.s.tcntxt,
(size + 2) * 4);
Then it became
evt->size = size;
evt->tcntxt = readl(&msg->u.s.tcntxt);
evt->event_indicator = readl(&msg->body[0]);
memcpy_fromio(&evt->tcntxt, &msg->u.s.tcntxt, size * 4);
See the problem with it? The last copy should be from &msg->body[1] to
evt->data. As it is, we do not copy the last 8 bytes (which might or
might not be a problem) *AND* we overwrite tcntxt and event_indicator
with bus-endian values right after having host-endian ones carefully
assigned to them.
Breakage happened in
diff-tree 61fbfa8129c1771061a0e9f47747854293081c5b (from 34d6e07570ef74b96513145
Author: Markus Lidel <Markus.Lidel@xxxxxxxxxxxxxxxxx>
Date: Thu Jun 23 22:02:11 2005 -0700
[PATCH] I2O: bugfixes and compability enhancements
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/