From b79998fc2e1144919b6b02acbd407a5db1f80ac0 Mon Sep 17 00:00:00 2001 From: Nathan Fontenot Date: Thu, 31 Jul 2008 02:23:27 +1000 Subject: powerpc: Zero fill the return values of rtas argument buffer The kernel copy of the rtas args struct contains the return value(s) for the specified rtas call. These are copied back to user space with the assumption that every value has been set by the rtas call, which turns out to be not always true. Thus userspace can see random values and think the call failed when in fact it succeeded, but for some reason didn't set one of the return values. This fixes the problem by zeroing out the return value fields of the rtas args struct before processing the rtas call. Signed-off-by: Nathan Fontenot Signed-off-by: Paul Mackerras --- arch/powerpc/kernel/rtas.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'arch/powerpc') diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index c680f1b..1f8505c 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -792,6 +792,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs) if (args.token == RTAS_UNKNOWN_SERVICE) return -EINVAL; + args.rets = &args.args[nargs]; + memset(args.rets, 0, args.nret * sizeof(rtas_arg_t)); + /* Need to handle ibm,suspend_me call specially */ if (args.token == ibm_suspend_me_token) { rc = rtas_ibm_suspend_me(&args); @@ -808,8 +811,6 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs) enter_rtas(__pa(&rtas.args)); args = rtas.args; - args.rets = &args.args[nargs]; - /* A -1 return code indicates that the last command couldn't be completed due to a hardware error. */ if (args.rets[0] == -1) -- cgit v1.1