From dc1c4b92702120dc06348d91c97ca533d7a27bc6 Mon Sep 17 00:00:00 2001
From: brucec <brucec@FreeBSD.org>
Date: Thu, 2 Dec 2010 22:19:30 +0000
Subject: Disallow passing in a count of zero bytes to the bus_space(9)
 functions.

Passing a count of zero on i386 and amd64 for [I386|AMD64]_BUS_SPACE_MEM
causes a crash/hang since the 'loop' instruction decrements the counter
before checking if it's zero.

PR:	kern/80980
Discussed with:	jhb
---
 sys/pc98/include/bus.h | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'sys/pc98')

diff --git a/sys/pc98/include/bus.h b/sys/pc98/include/bus.h
index b12845c..a31590e 100644
--- a/sys/pc98/include/bus.h
+++ b/sys/pc98/include/bus.h
@@ -78,6 +78,7 @@
 #ifndef _PC98_BUS_H_
 #define _PC98_BUS_H_
 
+#include <sys/param.h>
 #include <sys/systm.h>
 
 #include <machine/_bus.h>
@@ -378,7 +379,7 @@ bus_space_read_multi_##BWN (tag, bsh, offset, buf, cnt) 		\
 	TYPE *buf;							\
 	size_t cnt;							\
 {									\
-									\
+	KASSERT(cnt != 0, ("count == 0"));				\
 	__asm __volatile("call *%3"					\
 			:"=c" (cnt),					\
 			 "=d" (offset),					\
@@ -407,7 +408,7 @@ bus_space_write_multi_##BWN (tag, bsh, offset, buf, cnt) 		\
 	const TYPE *buf;						\
 	size_t cnt;							\
 {									\
-									\
+	KASSERT(cnt != 0, ("count == 0"));				\
 	__asm __volatile("call *%3"					\
 			:"=c" (cnt),					\
 			 "=d" (offset),					\
@@ -433,10 +434,10 @@ bus_space_read_region_##BWN (tag, bsh, offset, buf, cnt) 		\
 	bus_space_tag_t tag;						\
 	bus_space_handle_t bsh;						\
 	bus_size_t offset;						\
-	TYPE *buf;						\
+	TYPE *buf;							\
 	size_t cnt;							\
 {									\
-									\
+	KASSERT(cnt != 0, ("count == 0"));				\
 	__asm __volatile("call *%3"					\
 			:"=c" (cnt),					\
 			 "=d" (offset),					\
@@ -465,7 +466,7 @@ bus_space_write_region_##BWN (tag, bsh, offset, buf, cnt) 		\
 	const TYPE *buf;						\
 	size_t cnt;							\
 {									\
-									\
+	KASSERT(cnt != 0, ("count == 0"));				\
 	__asm __volatile("call *%3"					\
 			:"=c" (cnt),					\
 			 "=d" (offset),					\
@@ -494,7 +495,7 @@ bus_space_set_multi_##BWN (tag, bsh, offset, val, cnt)	 		\
 	TYPE val;							\
 	size_t cnt;							\
 {									\
-									\
+	KASSERT(cnt != 0, ("count == 0"));				\
 	__asm __volatile("call *%2"					\
 			:"=c" (cnt),					\
 			 "=d" (offset)					\
@@ -522,7 +523,7 @@ bus_space_set_region_##BWN (tag, bsh, offset, val, cnt) 		\
 	TYPE val;							\
 	size_t cnt;							\
 {									\
-									\
+	KASSERT(cnt != 0, ("count == 0"));				\
 	__asm __volatile("call *%2"					\
 			:"=c" (cnt),					\
 			 "=d" (offset)					\
@@ -555,6 +556,7 @@ bus_space_copy_region_##BWN (tag, sbsh, src, dbsh, dst, cnt)		\
 	if (dbsh->bsh_bam.bs_copy_region_1 != sbsh->bsh_bam.bs_copy_region_1) \
 		panic("bus_space_copy_region: funcs mismatch (ENOSUPPORT)");\
 									\
+	KASSERT(cnt != 0, ("count == 0"));				\
 	__asm __volatile("call *%3"					\
 			:"=c" (cnt),					\
 			 "=S" (src),					\
-- 
cgit v1.1