wan/farsync: copy_from_user() to iomem is wrong

kmalloc intermediate buffer(), do copy_from_user() + memcpy_toio() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>

wan/farsync: copy_from_user() to iomem is wrong
kmalloc intermediate buffer(), do copy_from_user() + memcpy_toio() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
5ffa6d7f · Al Viro · Jeff Garzik · ed773b4a · 5ffa6d7f
Commit 5ffa6d7f authored Mar 16, 2008 by Al Viro Committed by Jeff Garzik Mar 17, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

drivers/net/wan/farsync.c drivers/net/wan/farsync.c +12 -5

No files found.
--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -2024,6 +2024,7 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 	struct fstioc_write wrthdr;
 	struct fstioc_info info;
 	unsigned long flags;
+	void *buf;

 	dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);

@@ -2065,16 +2066,22 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 			return -ENXIO;
 		}

-		/* Now copy the data to the card.
-		 * This will probably break on some architectures.
-		 * I'll fix it when I have something to test on.
-		 */
-		if (copy_from_user(card->mem + wrthdr.offset,
+		/* Now copy the data to the card. */
+
+		buf = kmalloc(wrthdr.size, GFP_KERNEL);
+		if (!buf)
+			return -ENOMEM;
+
+		if (copy_from_user(buf,
 				   ifr->ifr_data + sizeof (struct fstioc_write),
 				   wrthdr.size)) {
+			kfree(buf);
 			return -EFAULT;
 		}

+		memcpy_toio(card->mem + wrthdr.offset, buf, wrthdr.size);
+		kfree(buf);
+
 		/* Writes to the memory of a card in the reset state constitute
 		 * a download
 		 */