* [patch 17/30] scsi: fix uaccess handling
@ 2006-12-04 23:18 akpm
2006-12-15 19:50 ` James Bottomley
0 siblings, 1 reply; 3+ messages in thread
From: akpm @ 2006-12-04 23:18 UTC (permalink / raw)
To: James.Bottomley; +Cc: linux-scsi, akpm, heiko.carstens
From: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---
drivers/scsi/scsi_ioctl.c | 17 +++++++------
drivers/scsi/sg.c | 47 +++++++++++++++++++-----------------
2 files changed, 35 insertions(+), 29 deletions(-)
diff -puN drivers/scsi/scsi_ioctl.c~scsi-fix-uaccess-handling drivers/scsi/scsi_ioctl.c
--- a/drivers/scsi/scsi_ioctl.c~scsi-fix-uaccess-handling
+++ a/drivers/scsi/scsi_ioctl.c
@@ -217,13 +217,16 @@ int scsi_ioctl(struct scsi_device *sdev,
if (!access_ok(VERIFY_WRITE, arg, sizeof(struct scsi_idlun)))
return -EFAULT;
- __put_user((sdev->id & 0xff)
- + ((sdev->lun & 0xff) << 8)
- + ((sdev->channel & 0xff) << 16)
- + ((sdev->host->host_no & 0xff) << 24),
- &((struct scsi_idlun __user *)arg)->dev_id);
- __put_user(sdev->host->unique_id,
- &((struct scsi_idlun __user *)arg)->host_unique_id);
+ if (__put_user((sdev->id & 0xff)
+ + ((sdev->lun & 0xff) << 8)
+ + ((sdev->channel & 0xff) << 16)
+ + ((sdev->host->host_no & 0xff) << 24),
+ &((struct scsi_idlun __user *)arg)->dev_id))
+ return -EFAULT;
+
+ if(__put_user(sdev->host->unique_id,
+ &((struct scsi_idlun __user *)arg)->host_unique_id))
+ return -EFAULT;
return 0;
case SCSI_IOCTL_GET_BUS_NUMBER:
return put_user(sdev->host->host_no, (int __user *)arg);
diff -puN drivers/scsi/sg.c~scsi-fix-uaccess-handling drivers/scsi/sg.c
--- a/drivers/scsi/sg.c~scsi-fix-uaccess-handling
+++ a/drivers/scsi/sg.c
@@ -556,7 +556,8 @@ sg_write(struct file *filp, const char _
return -EDOM;
}
buf += SZ_SG_HEADER;
- __get_user(opcode, buf);
+ if (__get_user(opcode, buf))
+ return -EFAULT;
if (sfp->next_cmd_len > 0) {
if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n"));
@@ -779,6 +780,7 @@ sg_ioctl(struct inode *inode, struct fil
Sg_fd *sfp;
Sg_request *srp;
unsigned long iflags;
+ sg_scsi_id_t __user *sg_idp;
if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
return -ENXIO;
@@ -860,26 +862,25 @@ sg_ioctl(struct inode *inode, struct fil
case SG_GET_SCSI_ID:
if (!access_ok(VERIFY_WRITE, p, sizeof (sg_scsi_id_t)))
return -EFAULT;
- else {
- sg_scsi_id_t __user *sg_idp = p;
+ sg_idp = p;
- if (sdp->detached)
- return -ENODEV;
- __put_user((int) sdp->device->host->host_no,
- &sg_idp->host_no);
- __put_user((int) sdp->device->channel,
- &sg_idp->channel);
- __put_user((int) sdp->device->id, &sg_idp->scsi_id);
- __put_user((int) sdp->device->lun, &sg_idp->lun);
- __put_user((int) sdp->device->type, &sg_idp->scsi_type);
- __put_user((short) sdp->device->host->cmd_per_lun,
- &sg_idp->h_cmd_per_lun);
- __put_user((short) sdp->device->queue_depth,
- &sg_idp->d_queue_depth);
- __put_user(0, &sg_idp->unused[0]);
- __put_user(0, &sg_idp->unused[1]);
- return 0;
- }
+ if (sdp->detached)
+ return -ENODEV;
+ if (__put_user((int) sdp->device->host->host_no,
+ &sg_idp->host_no) ||
+ __put_user((int) sdp->device->channel,
+ &sg_idp->channel) ||
+ __put_user((int) sdp->device->id, &sg_idp->scsi_id) ||
+ __put_user((int) sdp->device->lun, &sg_idp->lun) ||
+ __put_user((int) sdp->device->type, &sg_idp->scsi_type) ||
+ __put_user((short) sdp->device->host->cmd_per_lun,
+ &sg_idp->h_cmd_per_lun) ||
+ __put_user((short) sdp->device->queue_depth,
+ &sg_idp->d_queue_depth) ||
+ __put_user(0, &sg_idp->unused[0]) ||
+ __put_user(0, &sg_idp->unused[1]))
+ return -EFAULT;
+ return 0;
case SG_SET_FORCE_PACK_ID:
result = get_user(val, ip);
if (result)
@@ -894,12 +895,14 @@ sg_ioctl(struct inode *inode, struct fil
if ((1 == srp->done) && (!srp->sg_io_owned)) {
read_unlock_irqrestore(&sfp->rq_list_lock,
iflags);
- __put_user(srp->header.pack_id, ip);
+ if (__put_user(srp->header.pack_id, ip))
+ return -EFAULT;
return 0;
}
}
read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
- __put_user(-1, ip);
+ if (__put_user(-1, ip))
+ return -EFAULT;
return 0;
case SG_GET_NUM_WAITING:
read_lock_irqsave(&sfp->rq_list_lock, iflags);
_
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch 17/30] scsi: fix uaccess handling
2006-12-04 23:18 [patch 17/30] scsi: fix uaccess handling akpm
@ 2006-12-15 19:50 ` James Bottomley
2006-12-15 20:38 ` Heiko Carstens
0 siblings, 1 reply; 3+ messages in thread
From: James Bottomley @ 2006-12-15 19:50 UTC (permalink / raw)
To: akpm; +Cc: linux-scsi, heiko.carstens
On Mon, 2006-12-04 at 15:18 -0800, akpm@osdl.org wrote:
> From: Heiko Carstens <heiko.carstens@de.ibm.com>
>
> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
> Signed-off-by: Andrew Morton <akpm@osdl.org>
No in current form ... an update is on the list.
James
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch 17/30] scsi: fix uaccess handling
2006-12-15 19:50 ` James Bottomley
@ 2006-12-15 20:38 ` Heiko Carstens
0 siblings, 0 replies; 3+ messages in thread
From: Heiko Carstens @ 2006-12-15 20:38 UTC (permalink / raw)
To: James Bottomley; +Cc: akpm, linux-scsi
On Fri, Dec 15, 2006 at 01:50:14PM -0600, James Bottomley wrote:
> On Mon, 2006-12-04 at 15:18 -0800, akpm@osdl.org wrote:
> > From: Heiko Carstens <heiko.carstens@de.ibm.com>
> >
> > Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
> > Signed-off-by: Andrew Morton <akpm@osdl.org>
>
> No in current form ... an update is on the list.
I'll leave it to somebody else to test and send the updated patch.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-12-15 20:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-04 23:18 [patch 17/30] scsi: fix uaccess handling akpm
2006-12-15 19:50 ` James Bottomley
2006-12-15 20:38 ` Heiko Carstens
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox