首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

[media] saa7164: fix double fetch PCIe access condition

Avoid a double fetch by reusing the values from the prior transfer.

Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559

Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting.

Signed-off-by: Steven Toth <stoth@kernellabs.com>
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Steven Toth 8 年之前
父节点
9e9e6a7814
当前提交
6fb05e0dd3
共有 1 个文件被更改,包括 1 次插入12 次删除
分列视图 显示文件统计
  1. 1 12
      drivers/media/pci/saa7164/saa7164-bus.c

+ 1 - 12
drivers/media/pci/saa7164/saa7164-bus.c
查看文件 

@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
 
 	msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
 
 	msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
 
 	msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
 
+	memcpy(msg, &msg_tmp, sizeof(*msg));
 
 
 	/* No need to update the read positions, because this was a peek */
 
 	/* If the caller specifically want to peek, return */
 
 	if (peekonly) {
 
-		memcpy(msg, &msg_tmp, sizeof(*msg));
 
 		goto peekout;
 
 	}
 
 
@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
 
 		space_rem = bus->m_dwSizeGetRing - curr_grp;
 
 
 		if (space_rem < sizeof(*msg)) {
 
-			/* msg wraps around the ring */
 
-			memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
 
-			memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
 
-				sizeof(*msg) - space_rem);
 
 			if (buf)
 
 				memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
 
 					space_rem, buf_size);
 
 
 		} else if (space_rem == sizeof(*msg)) {
 
-			memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
 
 			if (buf)
 
 				memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
 
 		} else {
 
 			/* Additional data wraps around the ring */
 
-			memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
 
 			if (buf) {
 
 				memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
 
 					sizeof(*msg), space_rem - sizeof(*msg));
 
@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg,
 
 
 	} else {
 
 		/* No wrapping */
 
-		memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
 
 		if (buf)
 
 			memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
 
 				buf_size);
 
 	}
 
-	/* Convert from little endian to CPU */
 
-	msg->size = le16_to_cpu((__force __le16)msg->size);
 
-	msg->command = le32_to_cpu((__force __le32)msg->command);
 
-	msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
 
 
 	/* Update the read positions, adjusting the ring */
 
 	saa7164_writel(bus->m_dwGetReadPos, new_grp);