mii ioctls and copy_to_user

[John Paul Foster <jaypee@jaypee.org.uk>]

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]

Hello all,

I've written a program that uses SIOCGMIIREG to query
various mii interfaces on my board. We have a switch chip
with multiple PHYs MACs and switch fabrics on the mii bus.

I'm using kernel 2.6.23

I set the ifru_data up like this in user space

#include <linux/mii.h> // The user side if.h
struct mii_ioctl_data mii;
mii.phy_addr=myphy;
mii.reg_num=myreg;
ifr.ifr_data=(__caddr_t)&mii;

as according to my libc (uclibc) <net/if.h> that is what ifr_data is a
pointer not a structure.

This doesn't work. I get garbage in the ifr_data used by the network
driver. (kernel space)

If I add a copy_from/to_user around the call to generic_mii_ioctl(),
then it works. My driver isn't in the main kernel it is the stmmac
driver at stlinux.org but the ioctl function is the same as many in main
tree, pcnet32_ioctl() for example.

mii-tool works without me patching the driver.

mii-tool sets the ioctl up like this.

#include "mii.h" // it's own mmi structure
struct mii_data *mii = (struct mii_data *)&ifr.ifr_data;
mii->reg_num = location;

in mii-tool ifr_data is a pointer not allocated storage so you shouldn't
do that. However ifr_data is part of a union and the biggest thing in it
is bigger than struct mii_data, so we are not going to crap on our
stack/heap. Not safe though if the structure of mii_data grows, or the
union changes size.

looking at <linux/if.h> (the kernel side if.h)
ifru_data is a 
void __user *ifru_data;

i.e. it needs copy_to/from_user.

Are the drivers AND mii-tool wrong? I'm feeling like either I've
uncovered a long standing bug (in both mii ioctls and mmi-tool) or I'm
missing something.

Apologies for the verbose message but I'm trying to tell it
as thoroughly as I can.

Cross posted on the linux-net list but it looks a pretty dead list.

JP

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]