Annotate IPC system calls with user pointer annotations

include/asm-i386/ipc.h

@@ -7,7 +7,7 @@
  * See arch/i386/kernel/sys_i386.c for ugly details..
  */
 struct ipc_kludge {
-	struct msgbuf *msgp;
+	struct msgbuf __user *msgp;
 	long msgtyp;
 };
 

include/linux/msg.h

@@ -94,9 +94,9 @@ struct msg_queue {
 };
 
 asmlinkage long sys_msgget (key_t key, int msgflg);
-asmlinkage long sys_msgsnd (int msqid, struct msgbuf *msgp, size_t msgsz, int msgflg);
-asmlinkage long sys_msgrcv (int msqid, struct msgbuf *msgp, size_t msgsz, long msgtyp, int msgflg);
-asmlinkage long sys_msgctl (int msqid, int cmd, struct msqid_ds *buf);
+asmlinkage long sys_msgsnd (int msqid, struct msgbuf __user *msgp, size_t msgsz, int msgflg);
+asmlinkage long sys_msgrcv (int msqid, struct msgbuf __user *msgp, size_t msgsz, long msgtyp, int msgflg);
+asmlinkage long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf);
 
 #endif /* __KERNEL__ */
 

include/linux/security.h

@@ -1729,7 +1729,7 @@ static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
 }
 
 static inline int security_shm_shmat (struct shmid_kernel * shp, 
-				      char *shmaddr, int shmflg)
+				      char __user *shmaddr, int shmflg)
 {
 	return security_ops->shm_shmat(shp, shmaddr, shmflg);
 }
@@ -2322,7 +2322,7 @@ static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
 }
 
 static inline int security_shm_shmat (struct shmid_kernel * shp, 
-				      char *shmaddr, int shmflg)
+				      char __user *shmaddr, int shmflg)
 {
 	return 0;
 }

include/linux/sem.h

@@ -138,10 +138,10 @@ struct sysv_sem {
 };
 
 asmlinkage long sys_semget (key_t key, int nsems, int semflg);
-asmlinkage long sys_semop (int semid, struct sembuf *sops, unsigned nsops);
+asmlinkage long sys_semop (int semid, struct sembuf __user *sops, unsigned nsops);
 asmlinkage long sys_semctl (int semid, int semnum, int cmd, union semun arg);
-asmlinkage long sys_semtimedop(int semid, struct sembuf *sops,
-			unsigned nsops, const struct timespec *timeout);
+asmlinkage long sys_semtimedop(int semid, struct sembuf __user *sops,
+			unsigned nsops, const struct timespec __user *timeout);
 
 #endif /* __KERNEL__ */
 

include/linux/shm.h

@@ -90,10 +90,10 @@ struct shmid_kernel /* private to the kernel */
 #define SHM_LOCKED      02000   /* segment will not be swapped */
 #define SHM_HUGETLB     04000   /* segment will use huge TLB pages */
 
+long sys_shmat (int shmid, char __user *shmaddr, int shmflg, unsigned long *addr);
 asmlinkage long sys_shmget (key_t key, size_t size, int flag);
-asmlinkage long sys_shmat (int shmid, char *shmaddr, int shmflg, unsigned long *addr);
-asmlinkage long sys_shmdt (char *shmaddr);
-asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds *buf);
+asmlinkage long sys_shmdt (char __user *shmaddr);
+asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds __user *buf);
 
 #endif /* __KERNEL__ */
 

ipc/shm.c

@@ -270,7 +270,7 @@ asmlinkage long sys_shmget (key_t key, size_t size, int shmflg)
 	return err;
 }
 
-static inline unsigned long copy_shmid_to_user(void *buf, struct shmid64_ds *in, int version)
+static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
 {
 	switch(version) {
 	case IPC_64:
@@ -301,7 +301,7 @@ struct shm_setbuf {
 	mode_t	mode;
 };	
 
-static inline unsigned long copy_shmid_from_user(struct shm_setbuf *out, void *buf, int version)
+static inline unsigned long copy_shmid_from_user(struct shm_setbuf *out, void __user *buf, int version)
 {
 	switch(version) {
 	case IPC_64:
@@ -335,7 +335,7 @@ static inline unsigned long copy_shmid_from_user(struct shm_setbuf *out, void *b
 	}
 }
 
-static inline unsigned long copy_shminfo_to_user(void *buf, struct shminfo64 *in, int version)
+static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version)
 {
 	switch(version) {
 	case IPC_64:
@@ -393,7 +393,7 @@ static void shm_get_stat(unsigned long *rss, unsigned long *swp)
 	}
 }
 
-asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds *buf)
+asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds __user *buf)
 {
 	struct shm_setbuf setbuf;
 	struct shmid_kernel *shp;
@@ -580,7 +580,7 @@ asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds *buf)
 
 	case IPC_SET:
 	{
-		if(copy_shmid_from_user (&setbuf, buf, version)) {
+		if (copy_shmid_from_user (&setbuf, buf, version)) {
 			err = -EFAULT;
 			goto out;
 		}
@@ -630,8 +630,12 @@ asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds *buf)
 
 /*
  * Fix shmaddr, allocate descriptor, map shm, add attach descriptor to lists.
+ *
+ * NOTE! Despite the name, this is NOT a direct system call entrypoint. The
+ * "raddr" thing points to kernel space, and there has to be a wrapper around
+ * this.
  */
-asmlinkage long sys_shmat (int shmid, char *shmaddr, int shmflg, ulong *raddr)
+long sys_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)
 {
 	struct shmid_kernel *shp;
 	unsigned long addr;
@@ -745,7 +749,7 @@ asmlinkage long sys_shmat (int shmid, char *shmaddr, int shmflg, ulong *raddr)
  * detach and kill segment if marked destroyed.
  * The work is done in shm_close.
  */
-asmlinkage long sys_shmdt(char *shmaddr)
+asmlinkage long sys_shmdt(char __user *shmaddr)
 {
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma, *next;