From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org
Cc: petero2@telia.com
Subject: [PATCH] Fix root hole in pktcdvd
Date: Mon, 16 May 2005 21:37:49 -0700 [thread overview]
Message-ID: <11163046692974@kroah.com> (raw)
In-Reply-To: <11163046681444@kroah.com>
[PATCH] Fix root hole in pktcdvd
ioctl_by_bdev may only be used INSIDE the kernel. If the "arg" argument
refers to memory that is accessed by put_user/get_user in the ioctl
function, the memory needs to be in the kernel address space (that's the
set_fs(KERNEL_DS) doing in the ioctl_by_bdev). This works on i386 because
even with set_fs(KERNEL_DS) the user space memory is still accessible with
put_user/get_user. That is not true for s390. In short the ioctl
implementation of the pktcdvd device driver is horribly broken.
Signed-off-by: Peter Osterlund <petero2@telia.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
commit 118326e940bdecef6c459d42ccf05256ba86daa7
tree 13b1e48f4f3700603ed258c41e9e39978babf5ee
parent 68f66feb300423bb9ee5daecb1951af394425a38
author Peter Osterlund <petero2@telia.com> Sat, 14 May 2005 00:58:30 -0700
committer Greg KH <gregkh@suse.de> Mon, 16 May 2005 21:07:31 -0700
drivers/block/pktcdvd.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
Index: drivers/block/pktcdvd.c
===================================================================
--- ae5ce87f061f76da06cb78ce5c9cf3c8284fc0fc/drivers/block/pktcdvd.c (mode:100644)
+++ 13b1e48f4f3700603ed258c41e9e39978babf5ee/drivers/block/pktcdvd.c (mode:100644)
@@ -2406,7 +2406,7 @@
case CDROM_LAST_WRITTEN:
case CDROM_SEND_PACKET:
case SCSI_IOCTL_SEND_COMMAND:
- return ioctl_by_bdev(pd->bdev, cmd, arg);
+ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
case CDROMEJECT:
/*
@@ -2414,7 +2414,7 @@
* have to unlock it or else the eject command fails.
*/
pkt_lock_door(pd, 0);
- return ioctl_by_bdev(pd->bdev, cmd, arg);
+ return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
default:
printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
next prev parent reply other threads:[~2005-05-17 4:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-17 4:37 [GIT PATCH] Stable bugfixes for 2.6.12-rc4 Greg KH
2005-05-17 4:37 ` [PATCH] fix Linux kernel ELF core dump privilege elevation Greg KH
2005-05-17 4:37 ` [PATCH] Fix root hole in raw device Greg KH
2005-05-17 4:37 ` Greg KH [this message]
2005-05-17 5:00 ` [PATCH] Fix root hole in pktcdvd Al Viro
2005-05-17 5:54 ` Al Viro
2005-05-17 18:12 ` Peter Osterlund
2005-05-17 15:35 ` Greg KH
2005-05-17 4:57 ` [PATCH] Fix root hole in raw device Al Viro
2005-05-17 7:03 ` Willy Tarreau
2005-05-17 7:07 ` Willy Tarreau
2005-05-17 7:38 ` Al Viro
2005-05-17 7:32 ` Al Viro
2005-05-17 13:04 ` Stephen C. Tweedie
2005-05-17 16:53 ` Al Viro
2005-05-22 11:55 ` Peter Osterlund
2005-05-22 11:57 ` Peter Osterlund
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11163046692974@kroah.com \
--to=gregkh@suse.de \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=petero2@telia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox