yet another sparse-detected bug fix

yet another sparse-detected bug fix

[David Mosberger]

Arun,

copy_siginfo_from_user32() directly dereferences a user-pointer, which
is a no-no.  At that point, to->si_code already has been initialized
so I think we can just use to->si_code instead.  Compile-tested (only)
patch attached.

Signed-off-by: davidm@hpl.hp.com

=== arch/ia64/ia32/ia32_signal.c 1.30 vs edited ==--- 1.30/arch/ia64/ia32/ia32_signal.c	2004-09-21 12:36:02 -07:00
+++ edited/arch/ia64/ia32/ia32_signal.c	2004-10-04 07:38:03 -07:00
@@ -78,10 +78,10 @@
 	err |= __get_user(to->si_errno, &from->si_errno);
 	err |= __get_user(to->si_code, &from->si_code);
 
-	if (from->si_code < 0)
+	if (to->si_code < 0)
 		err |= __copy_from_user(&to->_sifields._pad, &from->_sifields._pad, SI_PAD_SIZE);
 	else {
-		switch (from->si_code >> 16) {
+		switch (to->si_code >> 16) {
 		      case __SI_CHLD >> 16:
 			err |= __get_user(to->si_utime, &from->si_utime);
 			err |= __get_user(to->si_stime, &from->si_stime);

Re: yet another sparse-detected bug fix

[Arun Sharma]

[-- Attachment #1: Type: text/plain, Size: 617 bytes --]

On 10/4/2004 8:45 AM, David Mosberger wrote:

Hi David,

> Arun,
> 
> copy_siginfo_from_user32() directly dereferences a user-pointer, which
> is a no-no.  At that point, to->si_code already has been initialized
> so I think we can just use to->si_code instead.  Compile-tested (only)
> patch attached.
> 
> Signed-off-by: davidm@hpl.hp.com

I've been meaning to run sparse myself. But it wasn't very effective the last time I tried because of the missing __user annotations.

Please review the attached patches that add the missing annotations so that we can make it easy to spot these errors in the future.

	-Arun

[-- Attachment #2: user-annotate-ia64.patch --]
[-- Type: text/plain, Size: 4508 bytes --]

Index: linux-2.6-cvs/include/asm-ia64/uaccess.h
===================================================================
RCS file: /home/adsharma/disk2/cvs/linux-2.5/include/asm-ia64/uaccess.h,v
retrieving revision 1.19
diff -u -r1.19 uaccess.h
--- linux-2.6-cvs/include/asm-ia64/uaccess.h	27 Aug 2004 17:43:14 -0000	1.19
+++ linux-2.6-cvs/include/asm-ia64/uaccess.h	4 Oct 2004 19:28:26 -0000
@@ -67,7 +67,7 @@
 #define access_ok(type, addr, size)	__access_ok((addr), (size), get_fs())
 
 static inline int
-verify_area (int type, const void *addr, unsigned long size)
+verify_area (int type, const void __user *addr, unsigned long size)
 {
 	return access_ok(type, addr, size) ? 0 : -EFAULT;
 }
@@ -185,7 +185,7 @@
  */
 #define __do_get_user(check, x, ptr, size, segment)					\
 ({											\
-	const __typeof__(*(ptr)) *__gu_ptr = (ptr);					\
+	const __typeof__(*(ptr)) __user *__gu_ptr = (ptr);				\
 	__typeof__ (size) __gu_size = (size);						\
 	long __gu_err = -EFAULT, __gu_val = 0;						\
 											\
@@ -213,7 +213,7 @@
 #define __do_put_user(check, x, ptr, size, segment)					\
 ({											\
 	__typeof__ (x) __pu_x = (x);							\
-	__typeof__ (*(ptr)) *__pu_ptr = (ptr);						\
+	__typeof__ (*(ptr)) __user *__pu_ptr = (ptr);					\
 	__typeof__ (size) __pu_size = (size);						\
 	long __pu_err = -EFAULT;							\
 											\
@@ -240,31 +240,40 @@
 #define __copy_from_user(to, from, n)	__copy_user((to), (from), (n))
 #define __copy_to_user_inatomic __copy_to_user
 #define __copy_from_user_inatomic __copy_from_user
-#define copy_to_user(to, from, n)	__copy_tofrom_user((to), (from), (n), 1)
-#define copy_from_user(to, from, n)	__copy_tofrom_user((to), (from), (n), 0)
 
-#define __copy_tofrom_user(to, from, n, check_to)					\
+#define copy_to_user(to, from, n)							\
 ({											\
-	void *__cu_to = (to);								\
+	void __user *__cu_to = (to);							\
 	const void *__cu_from = (from);							\
 	long __cu_len = (n);								\
 											\
-	if (__access_ok((long) ((check_to) ? __cu_to : __cu_from), __cu_len, get_fs()))	\
-		__cu_len = __copy_user(__cu_to, __cu_from, __cu_len);			\
+	if (__access_ok((long) __cu_to, __cu_len, get_fs()))				\
+		__cu_len = __copy_user((void *) __cu_to, __cu_from, __cu_len);		\
+	__cu_len;									\
+})
+
+#define copy_from_user(to, from, n)							\
+({											\
+	void *__cu_to = (to);								\
+	const void __user *__cu_from = (from);						\
+	long __cu_len = (n);								\
+											\
+	if (__access_ok((long) __cu_from, __cu_len, get_fs()))				\
+		__cu_len = __copy_user(__cu_to, (const void *) __cu_from, __cu_len);	\
 	__cu_len;									\
 })
 
 #define __copy_in_user(to, from, size)	__copy_user((to), (from), (size))
 
 static inline unsigned long
-copy_in_user (void *to, const void *from, unsigned long n)
+copy_in_user (void *to, const void __user *from, unsigned long n)
 {
 	if (likely(access_ok(VERIFY_READ, from, n) && access_ok(VERIFY_WRITE, to, n)))
 		n = __copy_user(to, from, n);
 	return n;
 }
 
-extern unsigned long __do_clear_user (void *, unsigned long);
+extern unsigned long __do_clear_user (void __user *, unsigned long);
 
 #define __clear_user(to, n)		__do_clear_user(to, n)
 
@@ -281,11 +290,11 @@
  * Returns: -EFAULT if exception before terminator, N if the entire buffer filled, else
  * strlen.
  */
-extern long __strncpy_from_user (char *to, const char *from, long to_len);
+extern long __strncpy_from_user (char *to, const char __user *from, long to_len);
 
 #define strncpy_from_user(to, from, n)					\
 ({									\
-	const char * __sfu_from = (from);				\
+	const char __user * __sfu_from = (from);				\
 	long __sfu_ret = -EFAULT;					\
 	if (__access_ok((long) __sfu_from, 0, get_fs()))		\
 		__sfu_ret = __strncpy_from_user((to), __sfu_from, (n));	\
@@ -293,11 +302,11 @@
 })
 
 /* Returns: 0 if bad, string length+1 (memory size) of string if ok */
-extern unsigned long __strlen_user (const char *);
+extern unsigned long __strlen_user (const char __user *);
 
 #define strlen_user(str)				\
 ({							\
-	const char *__su_str = (str);			\
+	const char __user *__su_str = (str);			\
 	unsigned long __su_ret = 0;			\
 	if (__access_ok((long) __su_str, 0, get_fs()))	\
 		__su_ret = __strlen_user(__su_str);	\
@@ -309,7 +318,7 @@
  * (N), a value greater than N if the limit would be exceeded, else
  * strlen.
  */
-extern unsigned long __strnlen_user (const char *, long);
+extern unsigned long __strnlen_user (const char __user *, long);
 
 #define strnlen_user(str, len)					\
 ({								\

[-- Attachment #3: user-annotate.patch --]
[-- Type: text/plain, Size: 14996 bytes --]

Index: linux-2.6-cvs/arch/ia64/ia32/ia32_ldt.c
===================================================================
RCS file: /home/adsharma/disk2/cvs/linux-2.5/arch/ia64/ia32/ia32_ldt.c,v
retrieving revision 1.5
diff -u -r1.5 ia32_ldt.c
--- linux-2.6-cvs/arch/ia64/ia32/ia32_ldt.c	23 Oct 2003 00:41:22 -0000	1.5
+++ linux-2.6-cvs/arch/ia64/ia32/ia32_ldt.c	4 Oct 2004 18:28:19 -0000
@@ -126,7 +126,7 @@
 }
 
 asmlinkage int
-sys32_modify_ldt (int func, unsigned int ptr, unsigned int bytecount)
+sys32_modify_ldt (int func, unsigned int __user ptr, unsigned int bytecount)
 {
 	int ret = -ENOSYS;
 
Index: linux-2.6-cvs/arch/ia64/ia32/ia32_signal.c
===================================================================
RCS file: /home/adsharma/disk2/cvs/linux-2.5/arch/ia64/ia32/ia32_signal.c,v
retrieving revision 1.22
diff -u -r1.22 ia32_signal.c
--- linux-2.6-cvs/arch/ia64/ia32/ia32_signal.c	22 Sep 2004 04:16:22 -0000	1.22
+++ linux-2.6-cvs/arch/ia64/ia32/ia32_signal.c	4 Oct 2004 18:41:59 -0000
@@ -66,7 +66,7 @@
 };
 
 int
-copy_siginfo_from_user32 (siginfo_t *to, siginfo_t32 *from)
+copy_siginfo_from_user32 (siginfo_t *to, siginfo_t32 __user *from)
 {
 	unsigned long tmp;
 	int err;
@@ -110,7 +110,7 @@
 }
 
 int
-copy_siginfo_to_user32 (siginfo_t32 *to, siginfo_t *from)
+copy_siginfo_to_user32 (siginfo_t32 __user *to, siginfo_t *from)
 {
 	unsigned int addr;
 	int err;
@@ -202,7 +202,7 @@
  */
 
 static int
-save_ia32_fpstate_live (struct _fpstate_ia32 *save)
+save_ia32_fpstate_live (struct _fpstate_ia32 __user *save)
 {
 	struct task_struct *tsk = current;
 	struct pt_regs *ptp;
@@ -310,7 +310,7 @@
 }
 
 static int
-restore_ia32_fpstate_live (struct _fpstate_ia32 *save)
+restore_ia32_fpstate_live (struct _fpstate_ia32 __user *save)
 {
 	struct task_struct *tsk = current;
 	struct pt_regs *ptp;
@@ -453,7 +453,7 @@
 }
 
 asmlinkage long
-ia32_rt_sigsuspend (compat_sigset_t *uset, unsigned int sigsetsize, struct sigscratch *scr)
+ia32_rt_sigsuspend (compat_sigset_t __user *uset, unsigned int sigsetsize, struct sigscratch *scr)
 {
 	extern long ia64_do_signal (sigset_t *oldset, struct sigscratch *scr, long in_syscall);
 	sigset_t oldset, set;
@@ -512,8 +512,8 @@
 }
 
 asmlinkage long
-sys32_rt_sigaction (int sig, struct sigaction32 *act,
-		    struct sigaction32 *oact, unsigned int sigsetsize)
+sys32_rt_sigaction (int sig, struct sigaction32 __user *act,
+		    struct sigaction32 __user *oact, unsigned int sigsetsize)
 {
 	struct k_sigaction new_ka, old_ka;
 	unsigned int handler, restorer;
@@ -547,7 +547,7 @@
 
 
 asmlinkage long
-sys32_rt_sigprocmask (int how, compat_sigset_t *set, compat_sigset_t *oset, unsigned int sigsetsize)
+sys32_rt_sigprocmask (int how, compat_sigset_t __user *set, compat_sigset_t __user *oset, unsigned int sigsetsize)
 {
 	mm_segment_t old_fs = get_fs();
 	sigset_t s;
@@ -574,8 +574,8 @@
 }
 
 asmlinkage long
-sys32_rt_sigtimedwait (compat_sigset_t *uthese, siginfo_t32 *uinfo,
-		struct compat_timespec *uts, unsigned int sigsetsize)
+sys32_rt_sigtimedwait (compat_sigset_t __user *uthese, siginfo_t32 __user *uinfo,
+		struct compat_timespec __user *uts, unsigned int sigsetsize)
 {
 	extern int copy_siginfo_to_user32 (siginfo_t32 *, siginfo_t *);
 	mm_segment_t old_fs = get_fs();
@@ -600,7 +600,7 @@
 }
 
 asmlinkage long
-sys32_rt_sigqueueinfo (int pid, int sig, siginfo_t32 *uinfo)
+sys32_rt_sigqueueinfo (int pid, int sig, siginfo_t32 __user *uinfo)
 {
 	mm_segment_t old_fs = get_fs();
 	siginfo_t info;
@@ -615,7 +615,7 @@
 }
 
 asmlinkage long
-sys32_sigaction (int sig, struct old_sigaction32 *act, struct old_sigaction32 *oact)
+sys32_sigaction (int sig, struct old_sigaction32 __user *act, struct old_sigaction32 __user *oact)
 {
 	struct k_sigaction new_ka, old_ka;
 	unsigned int handler, restorer;
@@ -648,7 +648,7 @@
 }
 
 static int
-setup_sigcontext_ia32 (struct sigcontext_ia32 *sc, struct _fpstate_ia32 *fpstate,
+setup_sigcontext_ia32 (struct sigcontext_ia32 __user *sc, struct _fpstate_ia32 __user *fpstate,
 		       struct pt_regs *regs, unsigned long mask)
 {
 	int  err = 0;
@@ -705,7 +705,7 @@
 }
 
 static int
-restore_sigcontext_ia32 (struct pt_regs *regs, struct sigcontext_ia32 *sc, int *peax)
+restore_sigcontext_ia32 (struct pt_regs *regs, struct sigcontext_ia32 __user *sc, int *peax)
 {
 	unsigned int err = 0;
 
@@ -830,7 +830,7 @@
 setup_frame_ia32 (int sig, struct k_sigaction *ka, sigset_t *set, struct pt_regs * regs)
 {
 	struct exec_domain *ed = current_thread_info()->exec_domain;
-	struct sigframe_ia32 *frame;
+	struct sigframe_ia32 __user *frame;
 	int err = 0;
 
 	frame = get_sigframe(ka, regs, sizeof(*frame));
@@ -896,7 +896,7 @@
 		     sigset_t *set, struct pt_regs * regs)
 {
 	struct exec_domain *ed = current_thread_info()->exec_domain;
-	struct rt_sigframe_ia32 *frame;
+	struct rt_sigframe_ia32 __user *frame;
 	int err = 0;
 
 	frame = get_sigframe(ka, regs, sizeof(*frame));
@@ -982,7 +982,7 @@
 {
 	struct pt_regs *regs = (struct pt_regs *) &stack;
 	unsigned long esp = (unsigned int) regs->r12;
-	struct sigframe_ia32 *frame = (struct sigframe_ia32 *)(esp - 8);
+	struct sigframe_ia32 __user *frame = (struct sigframe_ia32 *)(esp - 8);
 	sigset_t set;
 	int eax;
 
@@ -1015,7 +1015,7 @@
 {
 	struct pt_regs *regs = (struct pt_regs *) &stack;
 	unsigned long esp = (unsigned int) regs->r12;
-	struct rt_sigframe_ia32 *frame = (struct rt_sigframe_ia32 *)(esp - 4);
+	struct rt_sigframe_ia32 __user *frame = (struct rt_sigframe_ia32 *)(esp - 4);
 	sigset_t set;
 	stack_t st;
 	int eax;
Index: linux-2.6-cvs/arch/ia64/ia32/sys_ia32.c
===================================================================
RCS file: /home/adsharma/disk2/cvs/linux-2.5/arch/ia64/ia32/sys_ia32.c,v
retrieving revision 1.72
diff -u -r1.72 sys_ia32.c
--- linux-2.6-cvs/arch/ia64/ia32/sys_ia32.c	22 Sep 2004 04:16:22 -0000	1.72
+++ linux-2.6-cvs/arch/ia64/ia32/sys_ia32.c	4 Oct 2004 18:23:15 -0000
@@ -128,7 +128,7 @@
 	return error;
 }
 
-int cp_compat_stat(struct kstat *stat, struct compat_stat *ubuf)
+int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
 {
 	int err;
 
@@ -927,7 +927,7 @@
 };
 
 asmlinkage long
-sys32_mmap (struct mmap_arg_struct *arg)
+sys32_mmap (struct mmap_arg_struct __user *arg)
 {
 	struct mmap_arg_struct a;
 	struct file *file = NULL;
@@ -1155,14 +1155,14 @@
 }
 
 static inline long
-get_tv32 (struct timeval *o, struct compat_timeval *i)
+get_tv32 (struct timeval *o, struct compat_timeval __user *i)
 {
 	return (!access_ok(VERIFY_READ, i, sizeof(*i)) ||
 		(__get_user(o->tv_sec, &i->tv_sec) | __get_user(o->tv_usec, &i->tv_usec)));
 }
 
 static inline long
-put_tv32 (struct compat_timeval *o, struct timeval *i)
+put_tv32 (struct compat_timeval *o, struct timeval __user *i)
 {
 	return (!access_ok(VERIFY_WRITE, o, sizeof(*o)) ||
 		(__put_user(i->tv_sec, &o->tv_sec) | __put_user(i->tv_usec, &o->tv_usec)));
@@ -1192,7 +1192,7 @@
 extern struct timezone sys_tz;
 
 asmlinkage long
-sys32_gettimeofday (struct compat_timeval *tv, struct timezone *tz)
+sys32_gettimeofday (struct compat_timeval __user *tv, struct timezone __user *tz)
 {
 	if (tv) {
 		struct timeval ktv;
@@ -1208,7 +1208,7 @@
 }
 
 asmlinkage long
-sys32_settimeofday (struct compat_timeval *tv, struct timezone *tz)
+sys32_settimeofday (struct compat_timeval __user *tv, struct timezone __user *tz)
 {
 	struct timeval ktv;
 	struct timespec kts;
@@ -1270,7 +1270,7 @@
 }
 
 asmlinkage long
-sys32_getdents (unsigned int fd, struct compat_dirent *dirent, unsigned int count)
+sys32_getdents (unsigned int fd, struct compat_dirent __user *dirent, unsigned int count)
 {
 	struct file * file;
 	struct compat_dirent * lastdirent;
@@ -1326,7 +1326,7 @@
 }
 
 asmlinkage long
-sys32_readdir (unsigned int fd, void *dirent, unsigned int count)
+sys32_readdir (unsigned int fd, void __user *dirent, unsigned int count)
 {
 	int error;
 	struct file * file;
@@ -1434,7 +1434,7 @@
  * so we have to implement this system call here.
  */
 asmlinkage long
-sys32_time (int *tloc)
+sys32_time (int __user *tloc)
 {
 	int i;
 	struct timeval tv;
@@ -1454,7 +1454,7 @@
 		 struct compat_rusage *ru);
 
 asmlinkage long
-sys32_waitpid (int pid, unsigned int *stat_addr, int options)
+sys32_waitpid (int pid, unsigned int __user *stat_addr, int options)
 {
 	return compat_sys_wait4(pid, stat_addr, options, NULL);
 }
@@ -1627,7 +1627,7 @@
 }
 
 int
-save_ia32_fpstate (struct task_struct *tsk, struct ia32_user_i387_struct *save)
+save_ia32_fpstate (struct task_struct *tsk, struct ia32_user_i387_struct __user *save)
 {
 	struct switch_stack *swp;
 	struct pt_regs *ptp;
@@ -1656,7 +1656,7 @@
 }
 
 static int
-restore_ia32_fpstate (struct task_struct *tsk, struct ia32_user_i387_struct *save)
+restore_ia32_fpstate (struct task_struct *tsk, struct ia32_user_i387_struct __user *save)
 {
 	struct switch_stack *swp;
 	struct pt_regs *ptp;
@@ -1689,7 +1689,7 @@
 }
 
 int
-save_ia32_fpxstate (struct task_struct *tsk, struct ia32_user_fxsr_struct *save)
+save_ia32_fpxstate (struct task_struct *tsk, struct ia32_user_fxsr_struct __user *save)
 {
 	struct switch_stack *swp;
 	struct pt_regs *ptp;
@@ -1728,7 +1728,7 @@
 }
 
 static int
-restore_ia32_fpxstate (struct task_struct *tsk, struct ia32_user_fxsr_struct *save)
+restore_ia32_fpxstate (struct task_struct *tsk, struct ia32_user_fxsr_struct __user *save)
 {
 	struct switch_stack *swp;
 	struct pt_regs *ptp;
@@ -1920,7 +1920,7 @@
 } ia32_stack_t;
 
 asmlinkage long
-sys32_sigaltstack (ia32_stack_t *uss32, ia32_stack_t *uoss32,
+sys32_sigaltstack (ia32_stack_t __user *uss32, ia32_stack_t __user *uoss32,
 		   long arg2, long arg3, long arg4, long arg5, long arg6, long arg7, long stack)
 {
 	struct pt_regs *pt = (struct pt_regs *) &stack;
@@ -1989,7 +1989,7 @@
 };
 
 asmlinkage long
-sys32_sysctl (struct sysctl32 *args)
+sys32_sysctl (struct sysctl32 __user *args)
 {
 #ifdef CONFIG_SYSCTL
 	struct sysctl32 a32;
@@ -2035,7 +2035,7 @@
 }
 
 asmlinkage long
-sys32_newuname (struct new_utsname *name)
+sys32_newuname (struct new_utsname __user *name)
 {
 	int ret = sys_newuname(name);
 
@@ -2046,7 +2046,7 @@
 }
 
 asmlinkage long
-sys32_getresuid16 (u16 *ruid, u16 *euid, u16 *suid)
+sys32_getresuid16 (u16 __user *ruid, u16 __user *euid, u16 __user *suid)
 {
 	uid_t a, b, c;
 	int ret;
@@ -2086,7 +2086,7 @@
 }
 
 static int
-groups16_to_user(short *grouplist, struct group_info *group_info)
+groups16_to_user(short __user *grouplist, struct group_info *group_info)
 {
 	int i;
 	short group;
@@ -2101,7 +2101,7 @@
 }
 
 static int
-groups16_from_user(struct group_info *group_info, short *grouplist)
+groups16_from_user(struct group_info *group_info, short __user *grouplist)
 {
 	int i;
 	short group;
@@ -2116,7 +2116,7 @@
 }
 
 asmlinkage long
-sys32_getgroups16 (int gidsetsize, short *grouplist)
+sys32_getgroups16 (int gidsetsize, short __user *grouplist)
 {
 	int i;
 
@@ -2141,7 +2141,7 @@
 }
 
 asmlinkage long
-sys32_setgroups16 (int gidsetsize, short *grouplist)
+sys32_setgroups16 (int gidsetsize, short __user *grouplist)
 {
 	struct group_info *group_info;
 	int retval;
@@ -2179,7 +2179,7 @@
 }
 
 static int
-putstat64 (struct stat64 *ubuf, struct kstat *kbuf)
+putstat64 (struct stat64 __user *ubuf, struct kstat *kbuf)
 {
 	int err;
 	u64 hdev;
@@ -2214,7 +2214,7 @@
 }
 
 asmlinkage long
-sys32_stat64 (char *filename, struct stat64 *statbuf)
+sys32_stat64 (char __user *filename, struct stat64 __user *statbuf)
 {
 	struct kstat s;
 	long ret = vfs_stat(filename, &s);
@@ -2224,7 +2224,7 @@
 }
 
 asmlinkage long
-sys32_lstat64 (char *filename, struct stat64 *statbuf)
+sys32_lstat64 (char __user *filename, struct stat64 __user *statbuf)
 {
 	struct kstat s;
 	long ret = vfs_lstat(filename, &s);
@@ -2234,7 +2234,7 @@
 }
 
 asmlinkage long
-sys32_fstat64 (unsigned int fd, struct stat64 *statbuf)
+sys32_fstat64 (unsigned int fd, struct stat64 __user *statbuf)
 {
 	struct kstat s;
 	long ret = vfs_fstat(fd, &s);
@@ -2261,7 +2261,7 @@
 };
 
 asmlinkage long
-sys32_sysinfo (struct sysinfo32 *info)
+sys32_sysinfo (struct sysinfo32 __user *info)
 {
 	struct sysinfo s;
 	long ret, err;
@@ -2312,7 +2312,7 @@
 }
 
 asmlinkage long
-sys32_sched_rr_get_interval (pid_t pid, struct compat_timespec *interval)
+sys32_sched_rr_get_interval (pid_t pid, struct compat_timespec __user *interval)
 {
 	mm_segment_t old_fs = get_fs();
 	struct timespec t;
@@ -2327,19 +2327,19 @@
 }
 
 asmlinkage long
-sys32_pread (unsigned int fd, void *buf, unsigned int count, u32 pos_lo, u32 pos_hi)
+sys32_pread (unsigned int fd, void __user *buf, unsigned int count, u32 pos_lo, u32 pos_hi)
 {
 	return sys_pread64(fd, buf, count, ((unsigned long) pos_hi << 32) | pos_lo);
 }
 
 asmlinkage long
-sys32_pwrite (unsigned int fd, void *buf, unsigned int count, u32 pos_lo, u32 pos_hi)
+sys32_pwrite (unsigned int fd, void __user *buf, unsigned int count, u32 pos_lo, u32 pos_hi)
 {
 	return sys_pwrite64(fd, buf, count, ((unsigned long) pos_hi << 32) | pos_lo);
 }
 
 asmlinkage long
-sys32_sendfile (int out_fd, int in_fd, int *offset, unsigned int count)
+sys32_sendfile (int out_fd, int in_fd, int __user *offset, unsigned int count)
 {
 	mm_segment_t old_fs = get_fs();
 	long ret;
@@ -2388,7 +2388,7 @@
  * Exactly like fs/open.c:sys_open(), except that it doesn't set the O_LARGEFILE flag.
  */
 asmlinkage long
-sys32_open (const char * filename, int flags, int mode)
+sys32_open (const char __user *filename, int flags, int mode)
 {
 	char * tmp;
 	int fd, error;
@@ -2423,7 +2423,7 @@
 }; 
 
 asmlinkage long
-sys32_epoll_ctl(int epfd, int op, int fd, struct epoll_event32 *event)
+sys32_epoll_ctl(int epfd, int op, int fd, struct epoll_event32 __user *event)
 {
 	mm_segment_t old_fs = get_fs();
 	struct epoll_event event64;
@@ -2448,7 +2448,7 @@
 }
 
 asmlinkage long
-sys32_epoll_wait(int epfd, struct epoll_event32 *events, int maxevents,
+sys32_epoll_wait(int epfd, struct epoll_event32 __user *events, int maxevents,
 		 int timeout)
 {
 	struct epoll_event *events64 = NULL;
@@ -2526,7 +2526,7 @@
  * Set a given TLS descriptor:
  */
 asmlinkage int
-sys32_set_thread_area (struct ia32_user_desc *u_info)
+sys32_set_thread_area (struct ia32_user_desc __user *u_info)
 {
 	struct thread_struct *t = &current->thread;
 	struct ia32_user_desc info;
@@ -2587,7 +2587,7 @@
 #define GET_USEABLE(desc)	(((desc)->b >> 20) & 1)
 
 asmlinkage int
-sys32_get_thread_area (struct ia32_user_desc *u_info)
+sys32_get_thread_area (struct ia32_user_desc __user *u_info)
 {
 	struct ia32_user_desc info;
 	struct desc_struct *desc;
@@ -2620,7 +2620,7 @@
 		 timer_t * created_timer_id);
 
 asmlinkage long
-sys32_timer_create(u32 clock, struct sigevent32 *se32, timer_t *timer_id)
+sys32_timer_create(u32 clock, struct sigevent32 __user *se32, timer_t __user *timer_id)
 {
 	struct sigevent se;
 	mm_segment_t oldfs;
@@ -2724,7 +2724,7 @@
 extern int do_adjtimex(struct timex *);
 
 asmlinkage long
-sys32_adjtimex(struct timex32 *utp)
+sys32_adjtimex(struct timex32 __user *utp)
 {
 	struct timex txc;
 	int ret;

Re: yet another sparse-detected bug fix

[David Mosberger]

>>>>> On Mon, 04 Oct 2004 12:46:41 -0700, Arun Sharma <arun.sharma@intel.com> said:

  Arun> On 10/4/2004 8:45 AM, David Mosberger wrote:
  Arun> Hi David,

  >> Arun,
  >> 
  >> copy_siginfo_from_user32() directly dereferences a user-pointer, which
  >> is a no-no.  At that point, to->si_code already has been initialized
  >> so I think we can just use to->si_code instead.  Compile-tested (only)
  >> patch attached.
  >> 
  >> Signed-off-by: davidm@hpl.hp.com

  Arun> I've been meaning to run sparse myself. But it wasn't very effective the last time I tried because of the missing __user annotations.

  Arun> Please review the attached patches that add the missing
  Arun> annotations so that we can make it easy to spot these errors
  Arun> in the future.

I'm confused.  I posted a sparse-enablement patch yesterday.  Was
there something wrong with that one?

	--david

RE: yet another sparse-detected bug fix

[Luck, Tony]

>I'm confused.  I posted a sparse-enablement patch yesterday.  Was
>there something wrong with that one?

I can't tell ... I haven't seen it (none of the sparse patches that
I've received match the diffstat that you sent for it today ... and
I checked the "marc.theaimsgroup.com" archive too, it isn't there
either).  Please resend.

-Tony

RE: yet another sparse-detected bug fix

[David Mosberger]

>>>>> On Tue, 5 Oct 2004 08:40:56 -0700, "Luck, Tony" <tony.luck@intel.com> said:

  >> I'm confused.  I posted a sparse-enablement patch yesterday.  Was
  >> there something wrong with that one?

  Tony> I can't tell ... I haven't seen it (none of the sparse patches
  Tony> that I've received match the diffstat that you sent for it
  Tony> today ... and I checked the "marc.theaimsgroup.com" archive
  Tony> too, it isn't there either).  Please resend.

Something seems to be silently dropping mails with large patches.
Mine was just a bit over 100KB, so this seems plausible.  I'm just
not sure whether it's vger or something in between.

Anyhow, I split up the patches and sent them separately anyhow since
I think they're in good enough shape that we can at least think about
merging them.

	--david