drivers/block/*.c

- fix copy_{to,from}_user error handling, thanks to Rusty for pointing this out on lkml

drivers/block/*.c
- fix copy_{to,from}_user error handling, thanks to Rusty for pointing this out on lkml
20131c10 · Arnaldo Carvalho de Melo · a2536452 · 20131c10 · 20131c10 · 20131c10
Commit 20131c10 authored May 19, 2002 by Arnaldo Carvalho de Melo
7 changed files
--- a/drivers/block/DAC960.c
+++ b/drivers/block/DAC960.c
@@ -5473,9 +5473,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	int ControllerNumber, DataTransferLength;
 	unsigned char *DataTransferBuffer = NULL;
 	if (UserSpaceUserCommand == NULL) return -EINVAL;
-	ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
+	if (copy_from_user(&UserCommand, UserSpaceUserCommand,
-				   sizeof(DAC960_V1_UserCommand_T));
+				   sizeof(DAC960_V1_UserCommand_T))) {
-	if (ErrorCode != 0) goto Failure1;
+		ErrorCode = -EFAULT;
+		goto Failure1;
+	}
 	ControllerNumber = UserCommand.ControllerNumber;
 	if (ControllerNumber < 0 ||
 	    ControllerNumber > DAC960_ControllerCount - 1)
@@ -5488,9 +5490,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	if (CommandOpcode & 0x80) return -EINVAL;
 	if (CommandOpcode == DAC960_V1_DCDB)
 	  {
-	    ErrorCode =
+	    if (copy_from_user(&DCDB, UserCommand.DCDB,
-	      copy_from_user(&DCDB, UserCommand.DCDB, sizeof(DAC960_V1_DCDB_T));
+			       sizeof(DAC960_V1_DCDB_T))) {
-	    if (ErrorCode != 0) goto Failure1;
+		ErrorCode = -EFAULT;
+		goto Failure1;
+	    }
 	    if (DCDB.Channel >= DAC960_V1_MaxChannels) return -EINVAL;
 	    if (!((DataTransferLength == 0 &&
 		   DCDB.Direction
@@ -5516,10 +5520,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	  {
 	    DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL);
 	    if (DataTransferBuffer == NULL) return -ENOMEM;
-	    ErrorCode = copy_from_user(DataTransferBuffer,
+	    if (copy_from_user(DataTransferBuffer,
-				       UserCommand.DataTransferBuffer,
+			       UserCommand.DataTransferBuffer,
-				       -DataTransferLength);
+			       -DataTransferLength)) {
-	    if (ErrorCode != 0) goto Failure1;
+		ErrorCode = -EFAULT;
+		goto Failure1;
+	    }
 	  }
 	if (CommandOpcode == DAC960_V1_DCDB)
 	  {
@@ -5567,17 +5573,21 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	DAC960_ReleaseControllerLock(Controller, &ProcessorFlags);
 	if (DataTransferLength > 0)
 	  {
-	    ErrorCode = copy_to_user(UserCommand.DataTransferBuffer,
+	    if (copy_to_user(UserCommand.DataTransferBuffer,
-				     DataTransferBuffer, DataTransferLength);
+			     DataTransferBuffer, DataTransferLength))
-	    if (ErrorCode != 0) goto Failure1;
+		ErrorCode = -EFAULT;
+		goto Failure1;
+	  }
 	  }
 	if (CommandOpcode == DAC960_V1_DCDB)
 	  {
 	    Controller->V1.DirectCommandActive[DCDB.Channel]
 					      [DCDB.TargetID] = false;
-	    ErrorCode =
+	    if (copy_to_user(UserCommand.DCDB, &DCDB,
-	      copy_to_user(UserCommand.DCDB, &DCDB, sizeof(DAC960_V1_DCDB_T));
+			     sizeof(DAC960_V1_DCDB_T))) {
-	    if (ErrorCode != 0) goto Failure1;
+		ErrorCode = -EFAULT;
+		goto Failure1;
+	    }
 	  }
 	ErrorCode = CommandStatus;
      Failure1:
@@ -5600,9 +5610,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	unsigned char *DataTransferBuffer = NULL;
 	unsigned char *RequestSenseBuffer = NULL;
 	if (UserSpaceUserCommand == NULL) return -EINVAL;
-	ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
+	if (copy_from_user(&UserCommand, UserSpaceUserCommand,
-				   sizeof(DAC960_V2_UserCommand_T));
+			   sizeof(DAC960_V2_UserCommand_T))) {
-	if (ErrorCode != 0) goto Failure2;
+		ErrorCode = -EFAULT;
+		goto Failure2;
+	}
 	ControllerNumber = UserCommand.ControllerNumber;
 	if (ControllerNumber < 0 ||
 	    ControllerNumber > DAC960_ControllerCount - 1)
@@ -5621,10 +5633,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	  {
 	    DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL);
 	    if (DataTransferBuffer == NULL) return -ENOMEM;
-	    ErrorCode = copy_from_user(DataTransferBuffer,
+	    if (copy_from_user(DataTransferBuffer,
-				       UserCommand.DataTransferBuffer,
+			       UserCommand.DataTransferBuffer,
-				       -DataTransferLength);
+			       -DataTransferLength)) {
-	    if (ErrorCode != 0) goto Failure2;
+		ErrorCode = -EFAULT;
+		goto Failure2;
+	    }
 	  }
 	RequestSenseLength = UserCommand.RequestSenseLength;
 	if (RequestSenseLength > 0)
@@ -5694,25 +5708,32 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	DAC960_ReleaseControllerLock(Controller, &ProcessorFlags);
 	if (RequestSenseLength > UserCommand.RequestSenseLength)
 	  RequestSenseLength = UserCommand.RequestSenseLength;
-	ErrorCode = copy_to_user(&UserSpaceUserCommand->DataTransferLength,
+	if (copy_to_user(&UserSpaceUserCommand->DataTransferLength,
 				 &DataTransferResidue,
-				 sizeof(DataTransferResidue));
+				 sizeof(DataTransferResidue))) {
-	if (ErrorCode != 0) goto Failure2;
+		ErrorCode = -EFAULT;
-	ErrorCode = copy_to_user(&UserSpaceUserCommand->RequestSenseLength,
+		goto Failure2;
-				 &RequestSenseLength,
+	}
-				 sizeof(RequestSenseLength));
+	if (copy_to_user(&UserSpaceUserCommand->RequestSenseLength,
-	if (ErrorCode != 0) goto Failure2;
+			 &RequestSenseLength, sizeof(RequestSenseLength))) {
+		ErrorCode = -EFAULT;
+		goto Failure2;
+	}
 	if (DataTransferLength > 0)
 	  {
-	    ErrorCode = copy_to_user(UserCommand.DataTransferBuffer,
+	    if (copy_to_user(UserCommand.DataTransferBuffer,
-				     DataTransferBuffer, DataTransferLength);
+			     DataTransferBuffer, DataTransferLength)) {
-	    if (ErrorCode != 0) goto Failure2;
+		ErrorCode = -EFAULT;
+		goto Failure2;
+	    }
 	  }
 	if (RequestSenseLength > 0)
 	  {
-	    ErrorCode = copy_to_user(UserCommand.RequestSenseBuffer,
+	    if (copy_to_user(UserCommand.RequestSenseBuffer,
-				     RequestSenseBuffer, RequestSenseLength);
+			     RequestSenseBuffer, RequestSenseLength)) {
-	    if (ErrorCode != 0) goto Failure2;
+		ErrorCode = -EFAULT;
+		goto Failure2;
+	    }
 	  }
 	ErrorCode = CommandStatus;
      Failure2:
@@ -5731,9 +5752,9 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	DAC960_Controller_T *Controller;
 	int ControllerNumber;
 	if (UserSpaceGetHealthStatus == NULL) return -EINVAL;
-	ErrorCode = copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus,
+	if (copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus,
-				   sizeof(DAC960_V2_GetHealthStatus_T));
+			   sizeof(DAC960_V2_GetHealthStatus_T)))
-	if (ErrorCode != 0) return ErrorCode;
+		return -EFAULT;
 	ControllerNumber = GetHealthStatus.ControllerNumber;
 	if (ControllerNumber < 0 ||
 	    ControllerNumber > DAC960_ControllerCount - 1)
@@ -5741,10 +5762,10 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 	Controller = DAC960_Controllers[ControllerNumber];
 	if (Controller == NULL) return -ENXIO;
 	if (Controller->FirmwareType != DAC960_V2_Controller) return -EINVAL;
-	ErrorCode = copy_from_user(&HealthStatusBuffer,
+	if (copy_from_user(&HealthStatusBuffer,
-				   GetHealthStatus.HealthStatusBuffer,
+			   GetHealthStatus.HealthStatusBuffer,
-				   sizeof(DAC960_V2_HealthStatusBuffer_T));
+			   sizeof(DAC960_V2_HealthStatusBuffer_T)))
-	if (ErrorCode != 0) return ErrorCode;
+		return -EFAULT;
 	while (Controller->V2.HealthStatusBuffer->StatusChangeCounter
 	       == HealthStatusBuffer.StatusChangeCounter &&
 	       Controller->V2.HealthStatusBuffer->NextEventSequenceNumber
@@ -5754,10 +5775,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
 					   DAC960_MonitoringTimerInterval);
 	    if (signal_pending(current)) return -EINTR;
 	  }
-	ErrorCode = copy_to_user(GetHealthStatus.HealthStatusBuffer,
+	if (copy_to_user(GetHealthStatus.HealthStatusBuffer,
-				 Controller->V2.HealthStatusBuffer,
+			 Controller->V2.HealthStatusBuffer,
-				 sizeof(DAC960_V2_HealthStatusBuffer_T));
+			 sizeof(DAC960_V2_HealthStatusBuffer_T)))
-	return ErrorCode;
+		return -EFAULT;
+	return 0;
      }
    }
  return -EINVAL;

--- a/drivers/block/cpqarray.c
+++ b/drivers/block/cpqarray.c
@@ -1117,17 +1117,19 @@ static int ida_ioctl(struct inode *inode, struct file *filep, unsigned int cmd,
 		put_user(get_start_sect(inode->i_rdev), &geo->start);
 		return 0;
 	case IDAGETDRVINFO:
-		return copy_to_user(&io->c.drv,&hba[ctlr]->drv[dsk],sizeof(drv_info_t));
+		if (copy_to_user(&io->c.drv, &hba[ctlr]->drv[dsk],
+				 sizeof(drv_info_t)))
+			return -EFAULT;
+		return 0;
 	case BLKRRPART:
 		return revalidate_logvol(inode->i_rdev, 1);
 	case IDAPASSTHRU:
 		if (!capable(CAP_SYS_RAWIO)) return -EPERM;
-		error = copy_from_user(&my_io, io, sizeof(my_io));
+		if (copy_from_user(&my_io, io, sizeof(my_io)))
-		if (error) return error;
+			return -EFAULT;
 		error = ida_ctlr_ioctl(ctlr, dsk, &my_io);
 		if (error) return error;
-		error = copy_to_user(io, &my_io, sizeof(my_io));
+		return copy_to_user(io, &my_io, sizeof(my_io)) ? -EFAULT : 0;
-		return error;
 	case IDAGETCTLRSIG:
 		if (!arg) return -EINVAL;
 		put_user(hba[ctlr]->ctlr_sig, (int*)arg);
@@ -1208,7 +1210,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
 			cmd_free(h, c, 0); 
 			return(error);
 		}
-		copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size);
+		if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) {
+			kfree(p);
+			cmd_free(h, c, 0); 
+			return -EFAULT;
+		}
 		c->req.hdr.blk = pci_map_single(h->pci_dev, &(io->c), 
 				sizeof(ida_ioctl_t), 
 				PCI_DMA_BIDIRECTIONAL);
@@ -1245,7 +1251,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
                        cmd_free(h, c, 0);
                        return(error);
                }
-		copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size);
+		if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) {
+			kfree(p);
+                        cmd_free(h, c, 0);
+			return -EFAULT;
+		}
 		c->req.sg[0].size = io->sg[0].size;
 		c->req.sg[0].addr = pci_map_single(h->pci_dev, p, 
 			c->req.sg[0].size, PCI_DMA_BIDIRECTIONAL); 
@@ -1282,7 +1292,10 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
 	case DIAG_PASS_THRU:
 	case SENSE_CONTROLLER_PERFORMANCE:
 	case READ_FLASH_ROM:
-		copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size);
+		if (copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size)) {
+			kfree(p);
+			return -EFAULT;
+		}
 		/* fall through and free p */
 	case IDA_WRITE:
 	case IDA_WRITE_MEDIA:

--- a/drivers/block/paride/pg.c
+++ b/drivers/block/paride/pg.c
@@ -623,7 +623,8 @@ static ssize_t pg_write(struct file * filp, const char * buf,
 	if (PG.busy) return -EBUSY;
 	if (count < hs) return -EINVAL;
-	copy_from_user((char *)&hdr,buf,hs);
+	if (copy_from_user((char *)&hdr, buf, hs))
+		return -EFAULT;
 	if (hdr.magic != PG_MAGIC) return -EINVAL;
 	if (hdr.dlen > PG_MAX_DATA) return -EINVAL;
@@ -647,8 +648,8 @@ static ssize_t pg_write(struct file * filp, const char * buf,
 	PG.busy = 1;
-	copy_from_user(PG.bufptr,buf+hs,count-hs);
+	if (copy_from_user(PG.bufptr, buf + hs, count - hs))
+		return -EFAULT;
 	return count;
 }
@@ -682,9 +683,11 @@ static ssize_t pg_read(struct file * filp, char * buf,
 	hdr.duration = (jiffies - PG.start + HZ/2) / HZ;
 	hdr.scsi = PG.status & 0x0f;
-	copy_to_user(buf,(char *)&hdr,hs);
+	if (copy_to_user(buf, (char *)&hdr, hs))
-	if (copy > 0) copy_to_user(buf+hs,PG.bufptr,copy);
+		return -EFAULT;
+	if (copy > 0)
+		if (copy_to_user(buf+hs,PG.bufptr,copy))
+			return -EFAULT;
 	return copy+hs;
 }

--- a/drivers/block/paride/pt.c
+++ b/drivers/block/paride/pt.c
@@ -860,7 +860,10 @@ static ssize_t pt_read(struct file * filp, char * buf,
 		    n -= k;
 		    b = k;
 		    if (b > count) b = count;
-		    copy_to_user(buf+t,PT.bufptr,b);
+		    if (copy_to_user(buf + t, PT.bufptr, b)) {
+	    		pi_disconnect(PI);
+			return -EFAULT;
+		    }
 		    t += b;
 		    count -= b;
 	        }
@@ -944,7 +947,10 @@ static ssize_t pt_write(struct file * filp, const char * buf,
 		    if (k > PT_BUFSIZE) k = PT_BUFSIZE;
 		    b = k;
 		    if (b > count) b = count;
-		    copy_from_user(PT.bufptr,buf+t,b);
+		    if (copy_from_user(PT.bufptr, buf + t, b)) {
+			pi_disconnect(PI);
+			return -EFAULT;
+		    }
                    pi_write_block(PI,PT.bufptr,k);
 		    t += b;
 		    count -= b;

--- a/drivers/block/rd.c
+++ b/drivers/block/rd.c
@@ -318,7 +318,8 @@ static ssize_t initrd_read(struct file *file, char *buf,
 	left = initrd_end - initrd_start - *ppos;
 	if (count > left) count = left;
 	if (count == 0) return 0;
-	copy_to_user(buf, (char *)initrd_start + *ppos, count);
+	if (copy_to_user(buf, (char *)initrd_start + *ppos, count))
+		return -EFAULT;
 	*ppos += count;
 	return count;
 }

--- a/drivers/block/swim3.c
+++ b/drivers/block/swim3.c
@@ -840,9 +840,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp,
 		err = fd_eject(fs);
 		return err;
 	case FDGETPRM:
-	        err = copy_to_user((void *) param, (void *) &floppy_type,
+	        if (copy_to_user((void *) param, (void *)&floppy_type,
-				   sizeof(struct floppy_struct));
+				 sizeof(struct floppy_struct)))
-		return err;
+			return -EFAULT;
+		return 0;
 	}
 	return -ENOTTY;
 }

--- a/drivers/block/swim_iop.c
+++ b/drivers/block/swim_iop.c
@@ -360,9 +360,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp,
 		err = swimiop_eject(fs);
 		return err;
 	case FDGETPRM:
-	        err = copy_to_user((void *) param, (void *) &floppy_type,
+	        if (copy_to_user((void *) param, (void *) &floppy_type,
-				   sizeof(struct floppy_struct));
+				 sizeof(struct floppy_struct)))
-		return err;
+			return -EFAULT;
+		return 0;
 	}
 	return -ENOTTY;
 }