Date: Sat, 12 Oct 2019 23:16:18 +0000 (UTC) From: Brandon Bergren <bdragon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r353459 - head/sys/contrib/ncsw/user/env Message-ID: <201910122316.x9CNGIjK073383@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdragon Date: Sat Oct 12 23:16:17 2019 New Revision: 353459 URL: https://svnweb.freebsd.org/changeset/base/353459 Log: Fix read past end of struct in ncsw glue code. The logic in XX_IsPortalIntr() was reading past the end of XX_PInfo. This was causing it to erroneously return 1 instead of 0 in some circumstances, causing a panic on the AmigaOne X5000 due to mixing exclusive and nonexclusive interrupts on the same interrupt line. Since this code is only called a couple of times during startup, use a simple double loop instead of the complex read-ahead single loop. This also fixes a bug where it would never check cpu=0 on type=1. Approved by: jhibbits (mentor) Differential Revision: https://reviews.freebsd.org/D21988 Modified: head/sys/contrib/ncsw/user/env/xx.c Modified: head/sys/contrib/ncsw/user/env/xx.c ============================================================================== --- head/sys/contrib/ncsw/user/env/xx.c Sat Oct 12 23:01:16 2019 (r353458) +++ head/sys/contrib/ncsw/user/env/xx.c Sat Oct 12 23:16:17 2019 (r353459) @@ -288,16 +288,10 @@ XX_IsPortalIntr(uintptr_t irq) { int cpu, type; /* Check interrupt numbers of all available portals */ - for (cpu = 0, type = 0; XX_PInfo.portal_intr[type][cpu] != 0; cpu++) { - if (irq == XX_PInfo.portal_intr[type][cpu]) { - /* Found it! */ - return (1); - } - if (XX_PInfo.portal_intr[type][cpu + 1] == 0) { - type++; - cpu = 0; - } - } + for (type = 0; type < 2; type++) + for (cpu = 0; cpu < MAXCPU; cpu++) + if (irq == XX_PInfo.portal_intr[type][cpu]) + return (1); return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910122316.x9CNGIjK073383>