[POWERPC] spufs: Don't leak kernel stack through an empty {i,m}box_info read

Based on an original patch from Arnd Bergmann
<arnd.bergmann@de.ibm.com>

If there's no entry in the mailbox, then a read on the _info file will
return data from an uninitialised variable.

This change returns EOF if there's no mailbox info available instead.

Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>

diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
index ba6101ae73a2ae3da7e910bbf1a2c45c6423c436..3fcd06418b01d165ba1d01f7d9930608d6d15c6d 100644 (file)
--- a/arch/powerpc/platforms/cell/spufs/file.c
+++ b/arch/powerpc/platforms/cell/spufs/file.c
@@ -2026,13 +2026,13 @@ static const struct file_operations spufs_caps_fops = {
 static ssize_t __spufs_mbox_info_read(struct spu_context *ctx,
                        char __user *buf, size_t len, loff_t *pos)
 {
-       u32 mbox_stat;
        u32 data;
 
-       mbox_stat = ctx->csa.prob.mb_stat_R;
-       if (mbox_stat & 0x0000ff) {
-               data = ctx->csa.prob.pu_mb_R;
-       }
+       /* EOF if there's no entry in the mbox */
+       if (!(ctx->csa.prob.mb_stat_R & 0x0000ff))
+               return 0;
+
+       data = ctx->csa.prob.pu_mb_R;
 
        return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
 }
@@ -2066,13 +2066,13 @@ static const struct file_operations spufs_mbox_info_fops = {
 static ssize_t __spufs_ibox_info_read(struct spu_context *ctx,
                                char __user *buf, size_t len, loff_t *pos)
 {
-       u32 ibox_stat;
        u32 data;
 
-       ibox_stat = ctx->csa.prob.mb_stat_R;
-       if (ibox_stat & 0xff0000) {
-               data = ctx->csa.priv2.puint_mb_R;
-       }
+       /* EOF if there's no entry in the ibox */
+       if (!(ctx->csa.prob.mb_stat_R & 0xff0000))
+               return 0;
+
+       data = ctx->csa.priv2.puint_mb_R;
 
        return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
 }