On Mon, Dec 10, 2018 at 05:12:22PM +0800, Wesley Sheng wrote:
> From: Joey Zhang <joey.zhang@xxxxxxxxxxxxx>
>
> For nr_idxs is larger than 1 switchtec_ioctl_event_ctl event flags will be
> used by each event indexes. In current implementation the event flags are
> overwritten by first call of the function event_ctl().
>
> Preserve the event flag value with a temporary variable.
>
> Fixes: 52eabba5bcdb ("switchtec: Add IOCTLs to the Switchtec driver")
> Signed-off-by: Joey Zhang <joey.zhang@xxxxxxxxxxxxx>
> Signed-off-by: Wesley Sheng <wesley.sheng@xxxxxxxxxxxxx>
> Reviewed-by: Logan Gunthorpe <logang@xxxxxxxxxxxx>
> ---
> drivers/pci/switch/switchtec.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c
> index 480107e..a908670 100644
> --- a/drivers/pci/switch/switchtec.c
> +++ b/drivers/pci/switch/switchtec.c
> @@ -796,6 +796,7 @@ static int ioctl_event_ctl(struct switchtec_dev *stdev,
> {
> int ret;
> int nr_idxs;
> + unsigned int event_flags;
> struct switchtec_ioctl_event_ctl ctl;
>
> if (copy_from_user(&ctl, uctl, sizeof(ctl)))
> @@ -817,7 +818,9 @@ static int ioctl_event_ctl(struct switchtec_dev *stdev,
> else
> return -EINVAL;
>
> + event_flags = ctl.flags;
> for (ctl.index = 0; ctl.index < nr_idxs; ctl.index++) {
> + ctl.flags = event_flags;
> ret = event_ctl(stdev, &ctl);
event_ctl() overwrites several other things, in addition to ctl.flags:
ctl.data[]
ctl.occurred
ctl.count
Is that what you intend? It looks like only the values from the *last*
call of event_ctl() will be copied back to the user buffer.
> if (ret < 0)
> return ret;
> --
> 2.7.4
>
