lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

wan/farsync: copy_from_user() to iomem is wrong

Browse Source 
kmalloc intermediate buffer(), do copy_from_user() + memcpy_toio()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
This commit is contained in:
Al Viro
2008-03-16 22:22:44 +00:00
committed by Jeff Garzik
parent ed773b4ab1
commit 5ffa6d7f61
1 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
drivers/net/wan/farsync.c
View File

@@ -2024,6 +2024,7 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
struct fstioc_write wrthdr; struct fstioc_write wrthdr;
struct fstioc_info info; struct fstioc_info info;
unsigned long flags; unsigned long flags;
void *buf;
dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data); dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);
@@ -2065,16 +2066,22 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
return -ENXIO; return -ENXIO;
} }
/* Now copy the data to the card. /* Now copy the data to the card. */
* This will probably break on some architectures.
* I'll fix it when I have something to test on. buf = kmalloc(wrthdr.size, GFP_KERNEL);
*/ if (!buf)
if (copy_from_user(card->mem + wrthdr.offset, return -ENOMEM;
if (copy_from_user(buf,
ifr->ifr_data + sizeof (struct fstioc_write), ifr->ifr_data + sizeof (struct fstioc_write),
wrthdr.size)) { wrthdr.size)) {
kfree(buf);
return -EFAULT; return -EFAULT;
} }
memcpy_toio(card->mem + wrthdr.offset, buf, wrthdr.size);
kfree(buf);
/* Writes to the memory of a card in the reset state constitute /* Writes to the memory of a card in the reset state constitute
* a download * a download
*/ */