From: Arnaldo Carvalho de Melo Date: Sun, 19 May 2002 19:01:22 +0000 (-0300) Subject: drivers/block/*.c X-Git-Tag: v2.5.17~13 X-Git-Url: http://git.neil.brown.name/?a=commitdiff_plain;h=20131c106c10d60abc8d5a8c8399f75d1231fd4b;p=history.git drivers/block/*.c - fix copy_{to,from}_user error handling, thanks to Rusty for pointing this out on lkml --- diff --git a/drivers/block/DAC960.c b/drivers/block/DAC960.c index 12481db1849e..7ba55877b5a9 100644 --- a/drivers/block/DAC960.c +++ b/drivers/block/DAC960.c @@ -5473,9 +5473,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, int ControllerNumber, DataTransferLength; unsigned char *DataTransferBuffer = NULL; if (UserSpaceUserCommand == NULL) return -EINVAL; - ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand, - sizeof(DAC960_V1_UserCommand_T)); - if (ErrorCode != 0) goto Failure1; + if (copy_from_user(&UserCommand, UserSpaceUserCommand, + sizeof(DAC960_V1_UserCommand_T))) { + ErrorCode = -EFAULT; + goto Failure1; + } ControllerNumber = UserCommand.ControllerNumber; if (ControllerNumber < 0 || ControllerNumber > DAC960_ControllerCount - 1) @@ -5488,9 +5490,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, if (CommandOpcode & 0x80) return -EINVAL; if (CommandOpcode == DAC960_V1_DCDB) { - ErrorCode = - copy_from_user(&DCDB, UserCommand.DCDB, sizeof(DAC960_V1_DCDB_T)); - if (ErrorCode != 0) goto Failure1; + if (copy_from_user(&DCDB, UserCommand.DCDB, + sizeof(DAC960_V1_DCDB_T))) { + ErrorCode = -EFAULT; + goto Failure1; + } if (DCDB.Channel >= DAC960_V1_MaxChannels) return -EINVAL; if (!((DataTransferLength == 0 && DCDB.Direction @@ -5516,10 +5520,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, { DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL); if (DataTransferBuffer == NULL) return -ENOMEM; - ErrorCode = copy_from_user(DataTransferBuffer, - UserCommand.DataTransferBuffer, - -DataTransferLength); - if (ErrorCode != 0) goto Failure1; + if (copy_from_user(DataTransferBuffer, + UserCommand.DataTransferBuffer, + -DataTransferLength)) { + ErrorCode = -EFAULT; + goto Failure1; + } } if (CommandOpcode == DAC960_V1_DCDB) { @@ -5567,17 +5573,21 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, DAC960_ReleaseControllerLock(Controller, &ProcessorFlags); if (DataTransferLength > 0) { - ErrorCode = copy_to_user(UserCommand.DataTransferBuffer, - DataTransferBuffer, DataTransferLength); - if (ErrorCode != 0) goto Failure1; + if (copy_to_user(UserCommand.DataTransferBuffer, + DataTransferBuffer, DataTransferLength)) + ErrorCode = -EFAULT; + goto Failure1; + } } if (CommandOpcode == DAC960_V1_DCDB) { Controller->V1.DirectCommandActive[DCDB.Channel] [DCDB.TargetID] = false; - ErrorCode = - copy_to_user(UserCommand.DCDB, &DCDB, sizeof(DAC960_V1_DCDB_T)); - if (ErrorCode != 0) goto Failure1; + if (copy_to_user(UserCommand.DCDB, &DCDB, + sizeof(DAC960_V1_DCDB_T))) { + ErrorCode = -EFAULT; + goto Failure1; + } } ErrorCode = CommandStatus; Failure1: @@ -5600,9 +5610,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, unsigned char *DataTransferBuffer = NULL; unsigned char *RequestSenseBuffer = NULL; if (UserSpaceUserCommand == NULL) return -EINVAL; - ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand, - sizeof(DAC960_V2_UserCommand_T)); - if (ErrorCode != 0) goto Failure2; + if (copy_from_user(&UserCommand, UserSpaceUserCommand, + sizeof(DAC960_V2_UserCommand_T))) { + ErrorCode = -EFAULT; + goto Failure2; + } ControllerNumber = UserCommand.ControllerNumber; if (ControllerNumber < 0 || ControllerNumber > DAC960_ControllerCount - 1) @@ -5621,10 +5633,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, { DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL); if (DataTransferBuffer == NULL) return -ENOMEM; - ErrorCode = copy_from_user(DataTransferBuffer, - UserCommand.DataTransferBuffer, - -DataTransferLength); - if (ErrorCode != 0) goto Failure2; + if (copy_from_user(DataTransferBuffer, + UserCommand.DataTransferBuffer, + -DataTransferLength)) { + ErrorCode = -EFAULT; + goto Failure2; + } } RequestSenseLength = UserCommand.RequestSenseLength; if (RequestSenseLength > 0) @@ -5694,25 +5708,32 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, DAC960_ReleaseControllerLock(Controller, &ProcessorFlags); if (RequestSenseLength > UserCommand.RequestSenseLength) RequestSenseLength = UserCommand.RequestSenseLength; - ErrorCode = copy_to_user(&UserSpaceUserCommand->DataTransferLength, + if (copy_to_user(&UserSpaceUserCommand->DataTransferLength, &DataTransferResidue, - sizeof(DataTransferResidue)); - if (ErrorCode != 0) goto Failure2; - ErrorCode = copy_to_user(&UserSpaceUserCommand->RequestSenseLength, - &RequestSenseLength, - sizeof(RequestSenseLength)); - if (ErrorCode != 0) goto Failure2; + sizeof(DataTransferResidue))) { + ErrorCode = -EFAULT; + goto Failure2; + } + if (copy_to_user(&UserSpaceUserCommand->RequestSenseLength, + &RequestSenseLength, sizeof(RequestSenseLength))) { + ErrorCode = -EFAULT; + goto Failure2; + } if (DataTransferLength > 0) { - ErrorCode = copy_to_user(UserCommand.DataTransferBuffer, - DataTransferBuffer, DataTransferLength); - if (ErrorCode != 0) goto Failure2; + if (copy_to_user(UserCommand.DataTransferBuffer, + DataTransferBuffer, DataTransferLength)) { + ErrorCode = -EFAULT; + goto Failure2; + } } if (RequestSenseLength > 0) { - ErrorCode = copy_to_user(UserCommand.RequestSenseBuffer, - RequestSenseBuffer, RequestSenseLength); - if (ErrorCode != 0) goto Failure2; + if (copy_to_user(UserCommand.RequestSenseBuffer, + RequestSenseBuffer, RequestSenseLength)) { + ErrorCode = -EFAULT; + goto Failure2; + } } ErrorCode = CommandStatus; Failure2: @@ -5731,9 +5752,9 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, DAC960_Controller_T *Controller; int ControllerNumber; if (UserSpaceGetHealthStatus == NULL) return -EINVAL; - ErrorCode = copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus, - sizeof(DAC960_V2_GetHealthStatus_T)); - if (ErrorCode != 0) return ErrorCode; + if (copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus, + sizeof(DAC960_V2_GetHealthStatus_T))) + return -EFAULT; ControllerNumber = GetHealthStatus.ControllerNumber; if (ControllerNumber < 0 || ControllerNumber > DAC960_ControllerCount - 1) @@ -5741,10 +5762,10 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, Controller = DAC960_Controllers[ControllerNumber]; if (Controller == NULL) return -ENXIO; if (Controller->FirmwareType != DAC960_V2_Controller) return -EINVAL; - ErrorCode = copy_from_user(&HealthStatusBuffer, - GetHealthStatus.HealthStatusBuffer, - sizeof(DAC960_V2_HealthStatusBuffer_T)); - if (ErrorCode != 0) return ErrorCode; + if (copy_from_user(&HealthStatusBuffer, + GetHealthStatus.HealthStatusBuffer, + sizeof(DAC960_V2_HealthStatusBuffer_T))) + return -EFAULT; while (Controller->V2.HealthStatusBuffer->StatusChangeCounter == HealthStatusBuffer.StatusChangeCounter && Controller->V2.HealthStatusBuffer->NextEventSequenceNumber @@ -5754,10 +5775,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File, DAC960_MonitoringTimerInterval); if (signal_pending(current)) return -EINTR; } - ErrorCode = copy_to_user(GetHealthStatus.HealthStatusBuffer, - Controller->V2.HealthStatusBuffer, - sizeof(DAC960_V2_HealthStatusBuffer_T)); - return ErrorCode; + if (copy_to_user(GetHealthStatus.HealthStatusBuffer, + Controller->V2.HealthStatusBuffer, + sizeof(DAC960_V2_HealthStatusBuffer_T))) + return -EFAULT; + return 0; } } return -EINVAL; diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c index 314ade57968d..027bdaaf3189 100644 --- a/drivers/block/cpqarray.c +++ b/drivers/block/cpqarray.c @@ -1117,17 +1117,19 @@ static int ida_ioctl(struct inode *inode, struct file *filep, unsigned int cmd, put_user(get_start_sect(inode->i_rdev), &geo->start); return 0; case IDAGETDRVINFO: - return copy_to_user(&io->c.drv,&hba[ctlr]->drv[dsk],sizeof(drv_info_t)); + if (copy_to_user(&io->c.drv, &hba[ctlr]->drv[dsk], + sizeof(drv_info_t))) + return -EFAULT; + return 0; case BLKRRPART: return revalidate_logvol(inode->i_rdev, 1); case IDAPASSTHRU: if (!capable(CAP_SYS_RAWIO)) return -EPERM; - error = copy_from_user(&my_io, io, sizeof(my_io)); - if (error) return error; + if (copy_from_user(&my_io, io, sizeof(my_io))) + return -EFAULT; error = ida_ctlr_ioctl(ctlr, dsk, &my_io); if (error) return error; - error = copy_to_user(io, &my_io, sizeof(my_io)); - return error; + return copy_to_user(io, &my_io, sizeof(my_io)) ? -EFAULT : 0; case IDAGETCTLRSIG: if (!arg) return -EINVAL; put_user(hba[ctlr]->ctlr_sig, (int*)arg); @@ -1208,7 +1210,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io) cmd_free(h, c, 0); return(error); } - copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size); + if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) { + kfree(p); + cmd_free(h, c, 0); + return -EFAULT; + } c->req.hdr.blk = pci_map_single(h->pci_dev, &(io->c), sizeof(ida_ioctl_t), PCI_DMA_BIDIRECTIONAL); @@ -1245,7 +1251,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io) cmd_free(h, c, 0); return(error); } - copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size); + if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) { + kfree(p); + cmd_free(h, c, 0); + return -EFAULT; + } c->req.sg[0].size = io->sg[0].size; c->req.sg[0].addr = pci_map_single(h->pci_dev, p, c->req.sg[0].size, PCI_DMA_BIDIRECTIONAL); @@ -1282,7 +1292,10 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io) case DIAG_PASS_THRU: case SENSE_CONTROLLER_PERFORMANCE: case READ_FLASH_ROM: - copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size); + if (copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size)) { + kfree(p); + return -EFAULT; + } /* fall through and free p */ case IDA_WRITE: case IDA_WRITE_MEDIA: diff --git a/drivers/block/paride/pg.c b/drivers/block/paride/pg.c index 8592e40392d5..1f05ab38cc84 100644 --- a/drivers/block/paride/pg.c +++ b/drivers/block/paride/pg.c @@ -623,7 +623,8 @@ static ssize_t pg_write(struct file * filp, const char * buf, if (PG.busy) return -EBUSY; if (count < hs) return -EINVAL; - copy_from_user((char *)&hdr,buf,hs); + if (copy_from_user((char *)&hdr, buf, hs)) + return -EFAULT; if (hdr.magic != PG_MAGIC) return -EINVAL; if (hdr.dlen > PG_MAX_DATA) return -EINVAL; @@ -647,8 +648,8 @@ static ssize_t pg_write(struct file * filp, const char * buf, PG.busy = 1; - copy_from_user(PG.bufptr,buf+hs,count-hs); - + if (copy_from_user(PG.bufptr, buf + hs, count - hs)) + return -EFAULT; return count; } @@ -682,9 +683,11 @@ static ssize_t pg_read(struct file * filp, char * buf, hdr.duration = (jiffies - PG.start + HZ/2) / HZ; hdr.scsi = PG.status & 0x0f; - copy_to_user(buf,(char *)&hdr,hs); - if (copy > 0) copy_to_user(buf+hs,PG.bufptr,copy); - + if (copy_to_user(buf, (char *)&hdr, hs)) + return -EFAULT; + if (copy > 0) + if (copy_to_user(buf+hs,PG.bufptr,copy)) + return -EFAULT; return copy+hs; } diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c index fab199e16a25..ccf3db7b1463 100644 --- a/drivers/block/paride/pt.c +++ b/drivers/block/paride/pt.c @@ -860,7 +860,10 @@ static ssize_t pt_read(struct file * filp, char * buf, n -= k; b = k; if (b > count) b = count; - copy_to_user(buf+t,PT.bufptr,b); + if (copy_to_user(buf + t, PT.bufptr, b)) { + pi_disconnect(PI); + return -EFAULT; + } t += b; count -= b; } @@ -944,7 +947,10 @@ static ssize_t pt_write(struct file * filp, const char * buf, if (k > PT_BUFSIZE) k = PT_BUFSIZE; b = k; if (b > count) b = count; - copy_from_user(PT.bufptr,buf+t,b); + if (copy_from_user(PT.bufptr, buf + t, b)) { + pi_disconnect(PI); + return -EFAULT; + } pi_write_block(PI,PT.bufptr,k); t += b; count -= b; diff --git a/drivers/block/rd.c b/drivers/block/rd.c index d5af5c1d3196..e2b22a17629b 100644 --- a/drivers/block/rd.c +++ b/drivers/block/rd.c @@ -318,7 +318,8 @@ static ssize_t initrd_read(struct file *file, char *buf, left = initrd_end - initrd_start - *ppos; if (count > left) count = left; if (count == 0) return 0; - copy_to_user(buf, (char *)initrd_start + *ppos, count); + if (copy_to_user(buf, (char *)initrd_start + *ppos, count)) + return -EFAULT; *ppos += count; return count; } diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c index 5b223f90dcd9..d83408ba14fb 100644 --- a/drivers/block/swim3.c +++ b/drivers/block/swim3.c @@ -840,9 +840,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp, err = fd_eject(fs); return err; case FDGETPRM: - err = copy_to_user((void *) param, (void *) &floppy_type, - sizeof(struct floppy_struct)); - return err; + if (copy_to_user((void *) param, (void *)&floppy_type, + sizeof(struct floppy_struct))) + return -EFAULT; + return 0; } return -ENOTTY; } diff --git a/drivers/block/swim_iop.c b/drivers/block/swim_iop.c index cf99a0074948..d57ff9d3bbfb 100644 --- a/drivers/block/swim_iop.c +++ b/drivers/block/swim_iop.c @@ -360,9 +360,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp, err = swimiop_eject(fs); return err; case FDGETPRM: - err = copy_to_user((void *) param, (void *) &floppy_type, - sizeof(struct floppy_struct)); - return err; + if (copy_to_user((void *) param, (void *) &floppy_type, + sizeof(struct floppy_struct))) + return -EFAULT; + return 0; } return -ENOTTY; }