drivers/block/*.c

  - fix copy_{to,from}_user error handling, thanks to Rusty for
    pointing this out on lkml
parent a2536452
......@@ -5473,9 +5473,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
int ControllerNumber, DataTransferLength;
unsigned char *DataTransferBuffer = NULL;
if (UserSpaceUserCommand == NULL) return -EINVAL;
ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
sizeof(DAC960_V1_UserCommand_T));
if (ErrorCode != 0) goto Failure1;
if (copy_from_user(&UserCommand, UserSpaceUserCommand,
sizeof(DAC960_V1_UserCommand_T))) {
ErrorCode = -EFAULT;
goto Failure1;
}
ControllerNumber = UserCommand.ControllerNumber;
if (ControllerNumber < 0 ||
ControllerNumber > DAC960_ControllerCount - 1)
......@@ -5488,9 +5490,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
if (CommandOpcode & 0x80) return -EINVAL;
if (CommandOpcode == DAC960_V1_DCDB)
{
ErrorCode =
copy_from_user(&DCDB, UserCommand.DCDB, sizeof(DAC960_V1_DCDB_T));
if (ErrorCode != 0) goto Failure1;
if (copy_from_user(&DCDB, UserCommand.DCDB,
sizeof(DAC960_V1_DCDB_T))) {
ErrorCode = -EFAULT;
goto Failure1;
}
if (DCDB.Channel >= DAC960_V1_MaxChannels) return -EINVAL;
if (!((DataTransferLength == 0 &&
DCDB.Direction
......@@ -5516,10 +5520,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
{
DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL);
if (DataTransferBuffer == NULL) return -ENOMEM;
ErrorCode = copy_from_user(DataTransferBuffer,
if (copy_from_user(DataTransferBuffer,
UserCommand.DataTransferBuffer,
-DataTransferLength);
if (ErrorCode != 0) goto Failure1;
-DataTransferLength)) {
ErrorCode = -EFAULT;
goto Failure1;
}
}
if (CommandOpcode == DAC960_V1_DCDB)
{
......@@ -5567,17 +5573,21 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
DAC960_ReleaseControllerLock(Controller, &ProcessorFlags);
if (DataTransferLength > 0)
{
ErrorCode = copy_to_user(UserCommand.DataTransferBuffer,
DataTransferBuffer, DataTransferLength);
if (ErrorCode != 0) goto Failure1;
if (copy_to_user(UserCommand.DataTransferBuffer,
DataTransferBuffer, DataTransferLength))
ErrorCode = -EFAULT;
goto Failure1;
}
}
if (CommandOpcode == DAC960_V1_DCDB)
{
Controller->V1.DirectCommandActive[DCDB.Channel]
[DCDB.TargetID] = false;
ErrorCode =
copy_to_user(UserCommand.DCDB, &DCDB, sizeof(DAC960_V1_DCDB_T));
if (ErrorCode != 0) goto Failure1;
if (copy_to_user(UserCommand.DCDB, &DCDB,
sizeof(DAC960_V1_DCDB_T))) {
ErrorCode = -EFAULT;
goto Failure1;
}
}
ErrorCode = CommandStatus;
Failure1:
......@@ -5600,9 +5610,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
unsigned char *DataTransferBuffer = NULL;
unsigned char *RequestSenseBuffer = NULL;
if (UserSpaceUserCommand == NULL) return -EINVAL;
ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
sizeof(DAC960_V2_UserCommand_T));
if (ErrorCode != 0) goto Failure2;
if (copy_from_user(&UserCommand, UserSpaceUserCommand,
sizeof(DAC960_V2_UserCommand_T))) {
ErrorCode = -EFAULT;
goto Failure2;
}
ControllerNumber = UserCommand.ControllerNumber;
if (ControllerNumber < 0 ||
ControllerNumber > DAC960_ControllerCount - 1)
......@@ -5621,10 +5633,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
{
DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL);
if (DataTransferBuffer == NULL) return -ENOMEM;
ErrorCode = copy_from_user(DataTransferBuffer,
if (copy_from_user(DataTransferBuffer,
UserCommand.DataTransferBuffer,
-DataTransferLength);
if (ErrorCode != 0) goto Failure2;
-DataTransferLength)) {
ErrorCode = -EFAULT;
goto Failure2;
}
}
RequestSenseLength = UserCommand.RequestSenseLength;
if (RequestSenseLength > 0)
......@@ -5694,25 +5708,32 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
DAC960_ReleaseControllerLock(Controller, &ProcessorFlags);
if (RequestSenseLength > UserCommand.RequestSenseLength)
RequestSenseLength = UserCommand.RequestSenseLength;
ErrorCode = copy_to_user(&UserSpaceUserCommand->DataTransferLength,
if (copy_to_user(&UserSpaceUserCommand->DataTransferLength,
&DataTransferResidue,
sizeof(DataTransferResidue));
if (ErrorCode != 0) goto Failure2;
ErrorCode = copy_to_user(&UserSpaceUserCommand->RequestSenseLength,
&RequestSenseLength,
sizeof(RequestSenseLength));
if (ErrorCode != 0) goto Failure2;
sizeof(DataTransferResidue))) {
ErrorCode = -EFAULT;
goto Failure2;
}
if (copy_to_user(&UserSpaceUserCommand->RequestSenseLength,
&RequestSenseLength, sizeof(RequestSenseLength))) {
ErrorCode = -EFAULT;
goto Failure2;
}
if (DataTransferLength > 0)
{
ErrorCode = copy_to_user(UserCommand.DataTransferBuffer,
DataTransferBuffer, DataTransferLength);
if (ErrorCode != 0) goto Failure2;
if (copy_to_user(UserCommand.DataTransferBuffer,
DataTransferBuffer, DataTransferLength)) {
ErrorCode = -EFAULT;
goto Failure2;
}
}
if (RequestSenseLength > 0)
{
ErrorCode = copy_to_user(UserCommand.RequestSenseBuffer,
RequestSenseBuffer, RequestSenseLength);
if (ErrorCode != 0) goto Failure2;
if (copy_to_user(UserCommand.RequestSenseBuffer,
RequestSenseBuffer, RequestSenseLength)) {
ErrorCode = -EFAULT;
goto Failure2;
}
}
ErrorCode = CommandStatus;
Failure2:
......@@ -5731,9 +5752,9 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
DAC960_Controller_T *Controller;
int ControllerNumber;
if (UserSpaceGetHealthStatus == NULL) return -EINVAL;
ErrorCode = copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus,
sizeof(DAC960_V2_GetHealthStatus_T));
if (ErrorCode != 0) return ErrorCode;
if (copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus,
sizeof(DAC960_V2_GetHealthStatus_T)))
return -EFAULT;
ControllerNumber = GetHealthStatus.ControllerNumber;
if (ControllerNumber < 0 ||
ControllerNumber > DAC960_ControllerCount - 1)
......@@ -5741,10 +5762,10 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
Controller = DAC960_Controllers[ControllerNumber];
if (Controller == NULL) return -ENXIO;
if (Controller->FirmwareType != DAC960_V2_Controller) return -EINVAL;
ErrorCode = copy_from_user(&HealthStatusBuffer,
if (copy_from_user(&HealthStatusBuffer,
GetHealthStatus.HealthStatusBuffer,
sizeof(DAC960_V2_HealthStatusBuffer_T));
if (ErrorCode != 0) return ErrorCode;
sizeof(DAC960_V2_HealthStatusBuffer_T)))
return -EFAULT;
while (Controller->V2.HealthStatusBuffer->StatusChangeCounter
== HealthStatusBuffer.StatusChangeCounter &&
Controller->V2.HealthStatusBuffer->NextEventSequenceNumber
......@@ -5754,10 +5775,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
DAC960_MonitoringTimerInterval);
if (signal_pending(current)) return -EINTR;
}
ErrorCode = copy_to_user(GetHealthStatus.HealthStatusBuffer,
if (copy_to_user(GetHealthStatus.HealthStatusBuffer,
Controller->V2.HealthStatusBuffer,
sizeof(DAC960_V2_HealthStatusBuffer_T));
return ErrorCode;
sizeof(DAC960_V2_HealthStatusBuffer_T)))
return -EFAULT;
return 0;
}
}
return -EINVAL;
......
......@@ -1117,17 +1117,19 @@ static int ida_ioctl(struct inode *inode, struct file *filep, unsigned int cmd,
put_user(get_start_sect(inode->i_rdev), &geo->start);
return 0;
case IDAGETDRVINFO:
return copy_to_user(&io->c.drv,&hba[ctlr]->drv[dsk],sizeof(drv_info_t));
if (copy_to_user(&io->c.drv, &hba[ctlr]->drv[dsk],
sizeof(drv_info_t)))
return -EFAULT;
return 0;
case BLKRRPART:
return revalidate_logvol(inode->i_rdev, 1);
case IDAPASSTHRU:
if (!capable(CAP_SYS_RAWIO)) return -EPERM;
error = copy_from_user(&my_io, io, sizeof(my_io));
if (error) return error;
if (copy_from_user(&my_io, io, sizeof(my_io)))
return -EFAULT;
error = ida_ctlr_ioctl(ctlr, dsk, &my_io);
if (error) return error;
error = copy_to_user(io, &my_io, sizeof(my_io));
return error;
return copy_to_user(io, &my_io, sizeof(my_io)) ? -EFAULT : 0;
case IDAGETCTLRSIG:
if (!arg) return -EINVAL;
put_user(hba[ctlr]->ctlr_sig, (int*)arg);
......@@ -1208,7 +1210,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
cmd_free(h, c, 0);
return(error);
}
copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size);
if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) {
kfree(p);
cmd_free(h, c, 0);
return -EFAULT;
}
c->req.hdr.blk = pci_map_single(h->pci_dev, &(io->c),
sizeof(ida_ioctl_t),
PCI_DMA_BIDIRECTIONAL);
......@@ -1245,7 +1251,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
cmd_free(h, c, 0);
return(error);
}
copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size);
if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) {
kfree(p);
cmd_free(h, c, 0);
return -EFAULT;
}
c->req.sg[0].size = io->sg[0].size;
c->req.sg[0].addr = pci_map_single(h->pci_dev, p,
c->req.sg[0].size, PCI_DMA_BIDIRECTIONAL);
......@@ -1282,7 +1292,10 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
case DIAG_PASS_THRU:
case SENSE_CONTROLLER_PERFORMANCE:
case READ_FLASH_ROM:
copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size);
if (copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size)) {
kfree(p);
return -EFAULT;
}
/* fall through and free p */
case IDA_WRITE:
case IDA_WRITE_MEDIA:
......
......@@ -623,7 +623,8 @@ static ssize_t pg_write(struct file * filp, const char * buf,
if (PG.busy) return -EBUSY;
if (count < hs) return -EINVAL;
copy_from_user((char *)&hdr,buf,hs);
if (copy_from_user((char *)&hdr, buf, hs))
return -EFAULT;
if (hdr.magic != PG_MAGIC) return -EINVAL;
if (hdr.dlen > PG_MAX_DATA) return -EINVAL;
......@@ -647,8 +648,8 @@ static ssize_t pg_write(struct file * filp, const char * buf,
PG.busy = 1;
copy_from_user(PG.bufptr,buf+hs,count-hs);
if (copy_from_user(PG.bufptr, buf + hs, count - hs))
return -EFAULT;
return count;
}
......@@ -682,9 +683,11 @@ static ssize_t pg_read(struct file * filp, char * buf,
hdr.duration = (jiffies - PG.start + HZ/2) / HZ;
hdr.scsi = PG.status & 0x0f;
copy_to_user(buf,(char *)&hdr,hs);
if (copy > 0) copy_to_user(buf+hs,PG.bufptr,copy);
if (copy_to_user(buf, (char *)&hdr, hs))
return -EFAULT;
if (copy > 0)
if (copy_to_user(buf+hs,PG.bufptr,copy))
return -EFAULT;
return copy+hs;
}
......
......@@ -860,7 +860,10 @@ static ssize_t pt_read(struct file * filp, char * buf,
n -= k;
b = k;
if (b > count) b = count;
copy_to_user(buf+t,PT.bufptr,b);
if (copy_to_user(buf + t, PT.bufptr, b)) {
pi_disconnect(PI);
return -EFAULT;
}
t += b;
count -= b;
}
......@@ -944,7 +947,10 @@ static ssize_t pt_write(struct file * filp, const char * buf,
if (k > PT_BUFSIZE) k = PT_BUFSIZE;
b = k;
if (b > count) b = count;
copy_from_user(PT.bufptr,buf+t,b);
if (copy_from_user(PT.bufptr, buf + t, b)) {
pi_disconnect(PI);
return -EFAULT;
}
pi_write_block(PI,PT.bufptr,k);
t += b;
count -= b;
......
......@@ -318,7 +318,8 @@ static ssize_t initrd_read(struct file *file, char *buf,
left = initrd_end - initrd_start - *ppos;
if (count > left) count = left;
if (count == 0) return 0;
copy_to_user(buf, (char *)initrd_start + *ppos, count);
if (copy_to_user(buf, (char *)initrd_start + *ppos, count))
return -EFAULT;
*ppos += count;
return count;
}
......
......@@ -840,9 +840,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp,
err = fd_eject(fs);
return err;
case FDGETPRM:
err = copy_to_user((void *) param, (void *) &floppy_type,
sizeof(struct floppy_struct));
return err;
if (copy_to_user((void *) param, (void *)&floppy_type,
sizeof(struct floppy_struct)))
return -EFAULT;
return 0;
}
return -ENOTTY;
}
......
......@@ -360,9 +360,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp,
err = swimiop_eject(fs);
return err;
case FDGETPRM:
err = copy_to_user((void *) param, (void *) &floppy_type,
sizeof(struct floppy_struct));
return err;
if (copy_to_user((void *) param, (void *) &floppy_type,
sizeof(struct floppy_struct)))
return -EFAULT;
return 0;
}
return -ENOTTY;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment