arch/*

drivers/cdrom/*
drivers/char/*

	Fix some copy_{to,from}_user and {put,get}_user error handling,
        get rid of some verify_area, copy_{to,from}_user already checks for errors.
parent a9907091
...@@ -116,15 +116,17 @@ static int osf_filldir(void *__buf, const char *name, int namlen, loff_t offset, ...@@ -116,15 +116,17 @@ static int osf_filldir(void *__buf, const char *name, int namlen, loff_t offset,
if (reclen > buf->count) if (reclen > buf->count)
return -EINVAL; return -EINVAL;
if (buf->basep) { if (buf->basep) {
put_user(offset, buf->basep); if (put_user(offset, buf->basep))
return -EFAULT;
buf->basep = NULL; buf->basep = NULL;
} }
dirent = buf->dirent; dirent = buf->dirent;
put_user(ino, &dirent->d_ino); put_user(ino, &dirent->d_ino);
put_user(namlen, &dirent->d_namlen); put_user(namlen, &dirent->d_namlen);
put_user(reclen, &dirent->d_reclen); put_user(reclen, &dirent->d_reclen);
copy_to_user(dirent->d_name, name, namlen); if (copy_to_user(dirent->d_name, name, namlen) ||
put_user(0, dirent->d_name + namlen); put_user(0, dirent->d_name + namlen))
return -EFAULT;
((char *) dirent) += reclen; ((char *) dirent) += reclen;
buf->dirent = dirent; buf->dirent = dirent;
buf->count -= reclen; buf->count -= reclen;
...@@ -629,18 +631,16 @@ asmlinkage long osf_proplist_syscall(enum pl_code code, union pl_args *args) ...@@ -629,18 +631,16 @@ asmlinkage long osf_proplist_syscall(enum pl_code code, union pl_args *args)
error = args->fset.nbytes; error = args->fset.nbytes;
break; break;
case PL_GET: case PL_GET:
get_user(min_buf_size_ptr, &args->get.min_buf_size); error = get_user(min_buf_size_ptr, &args->get.min_buf_size);
error = verify_area(VERIFY_WRITE, min_buf_size_ptr, if (error)
sizeof(*min_buf_size_ptr)); break;
if (!error) error = put_user(0, min_buf_size_ptr);
put_user(0, min_buf_size_ptr);
break; break;
case PL_FGET: case PL_FGET:
get_user(min_buf_size_ptr, &args->fget.min_buf_size); error = get_user(min_buf_size_ptr, &args->fget.min_buf_size);
error = verify_area(VERIFY_WRITE, min_buf_size_ptr, if (error)
sizeof(*min_buf_size_ptr)); break;
if (!error) error = put_user(0, min_buf_size_ptr);
put_user(0, min_buf_size_ptr);
break; break;
case PL_DEL: case PL_DEL:
case PL_FDEL: case PL_FDEL:
......
...@@ -253,9 +253,8 @@ restore_sigcontext(struct sigcontext *sc, struct pt_regs *regs, ...@@ -253,9 +253,8 @@ restore_sigcontext(struct sigcontext *sc, struct pt_regs *regs,
struct switch_stack *sw) struct switch_stack *sw)
{ {
unsigned long usp; unsigned long usp;
long i, err = 0; long i, err = __get_user(regs->pc, &sc->sc_pc);
err |= __get_user(regs->pc, &sc->sc_pc);
sw->r26 = (unsigned long) ret_from_sys_call; sw->r26 = (unsigned long) ret_from_sys_call;
err |= __get_user(regs->r0, sc->sc_regs+0); err |= __get_user(regs->r0, sc->sc_regs+0);
......
...@@ -551,7 +551,8 @@ static ssize_t sync_serial_manual_write(struct file * file, const char * buf, ...@@ -551,7 +551,8 @@ static ssize_t sync_serial_manual_write(struct file * file, const char * buf,
} }
port = &ports[dev]; port = &ports[dev];
copy_from_user(port->out_buffer, buf, count); if (copy_from_user(port->out_buffer, buf, count))
return -EFAULT;
port->outp = port->out_buffer; port->outp = port->out_buffer;
port->out_count = count; port->out_count = count;
port->odd_output = 1; port->odd_output = 1;
...@@ -597,7 +598,8 @@ static ssize_t sync_serial_write(struct file * file, const char * buf, ...@@ -597,7 +598,8 @@ static ssize_t sync_serial_write(struct file * file, const char * buf,
return sync_serial_manual_write(file, buf, count, ppos); return sync_serial_manual_write(file, buf, count, ppos);
} }
copy_from_user(port->out_buffer, buf, count); if (copy_from_user(port->out_buffer, buf, count))
return -EFAULT;
add_wait_queue(&port->out_wait_q, &wait); add_wait_queue(&port->out_wait_q, &wait);
set_current_state(TASK_INTERRUPTIBLE); set_current_state(TASK_INTERRUPTIBLE);
start_dma(port, buf, count); start_dma(port, buf, count);
...@@ -658,7 +660,8 @@ static ssize_t sync_serial_read(struct file * file, char * buf, ...@@ -658,7 +660,8 @@ static ssize_t sync_serial_read(struct file * file, char * buf,
avail = port->in_buffer + IN_BUFFER_SIZE - start; avail = port->in_buffer + IN_BUFFER_SIZE - start;
count = count > avail ? avail : count; count = count > avail ? avail : count;
copy_to_user(buf, start, count); if (copy_to_user(buf, start, count))
return -EFAULT;
/* Disable interrupts while updating readp */ /* Disable interrupts while updating readp */
save_flags(flags); save_flags(flags);
......
...@@ -278,7 +278,8 @@ mmap_subpage (struct file *file, unsigned long start, unsigned long end, int pro ...@@ -278,7 +278,8 @@ mmap_subpage (struct file *file, unsigned long start, unsigned long end, int pro
return -ENOMEM; return -ENOMEM;
if (old_prot) if (old_prot)
copy_from_user(page, (void *) PAGE_START(start), PAGE_SIZE); if (copy_from_user(page, (void *) PAGE_START(start), PAGE_SIZE))
return -EFAULT;
down_write(&current->mm->mmap_sem); down_write(&current->mm->mmap_sem);
{ {
......
...@@ -202,16 +202,30 @@ static int ifconfig_net_ioctl(struct inode * inode, struct file * file, ...@@ -202,16 +202,30 @@ static int ifconfig_net_ioctl(struct inode * inode, struct file * file,
* Read in the header and see how big of a buffer we really need to * Read in the header and see how big of a buffer we really need to
* allocate. * allocate.
*/ */
ifname_num = (struct ifname_num *) kmalloc(sizeof(struct ifname_num), ifname_num = kmalloc(sizeof(struct ifname_num), GFP_KERNEL);
GFP_KERNEL); if (!ifname_num)
copy_from_user( ifname_num, (char *) arg, sizeof(struct ifname_num)); return -ENOMEM;
if (copy_from_user(ifname_num, (char *)arg,
sizeof(struct ifname_num))) {
kfree(ifname_num);
return -EFAULT;
}
size = ifname_num->size; size = ifname_num->size;
kfree(ifname_num); kfree(ifname_num);
ifname_num = (struct ifname_num *) kmalloc(size, GFP_KERNEL); ifname_num = kmalloc(size, GFP_KERNEL);
if (!ifname_num)
return -ENOMEM;
ifname_MAC = (struct ifname_MAC *) ((char *)ifname_num + (sizeof(struct ifname_num)) ); ifname_MAC = (struct ifname_MAC *) ((char *)ifname_num + (sizeof(struct ifname_num)) );
copy_from_user( ifname_num, (char *) arg, size); if (copy_from_user(ifname_num, (char *)arg, size)) {
kfree(ifname_num);
return -EFAULT;
}
new_devices = kmalloc(size - sizeof(struct ifname_num), GFP_KERNEL); new_devices = kmalloc(size - sizeof(struct ifname_num), GFP_KERNEL);
if (!new_devices) {
kfree(ifname_num);
return -EFAULT;
}
temp_new_devices = new_devices; temp_new_devices = new_devices;
memset(new_devices, 0, size - sizeof(struct ifname_num)); memset(new_devices, 0, size - sizeof(struct ifname_num));
...@@ -257,9 +271,9 @@ static int ifconfig_net_ioctl(struct inode * inode, struct file * file, ...@@ -257,9 +271,9 @@ static int ifconfig_net_ioctl(struct inode * inode, struct file * file,
/* /*
* Copy back to the User Buffer area any new devices encountered. * Copy back to the User Buffer area any new devices encountered.
*/ */
copy_to_user((char *)arg + (sizeof(struct ifname_num)), new_devices, if (copy_to_user((char *)arg + (sizeof(struct ifname_num)),
size - sizeof(struct ifname_num)); new_devices, size - sizeof(struct ifname_num)))
return -EFAULT;
return(0); return(0);
} }
......
...@@ -1048,10 +1048,7 @@ asmlinkage int irix_sgikopt(char *istring, char *ostring, int len) ...@@ -1048,10 +1048,7 @@ asmlinkage int irix_sgikopt(char *istring, char *ostring, int len)
asmlinkage int irix_gettimeofday(struct timeval *tv) asmlinkage int irix_gettimeofday(struct timeval *tv)
{ {
int retval; return copy_to_user(tv, &xtime, sizeof(*tv)) ? -EFAULT : 0;
retval = copy_to_user(tv, &xtime, sizeof(*tv)) ? -EFAULT : 0;
return retval;
} }
#define IRIX_MAP_AUTOGROW 0x40 #define IRIX_MAP_AUTOGROW 0x40
......
...@@ -950,7 +950,10 @@ int mf_setVmlinuxChunk(const char *buffer, int size, int offset, u64 side) ...@@ -950,7 +950,10 @@ int mf_setVmlinuxChunk(const char *buffer, int size, int offset, u64 side)
return -ENOMEM; return -ENOMEM;
} }
copy_from_user(page, buffer, size); if (copy_from_user(page, buffer, size)) {
rc = -EFAULT;
goto out;
}
memset(&myVspCmd, 0, sizeof(myVspCmd)); memset(&myVspCmd, 0, sizeof(myVspCmd));
myVspCmd.xCmd = 30; myVspCmd.xCmd = 30;
...@@ -973,7 +976,7 @@ int mf_setVmlinuxChunk(const char *buffer, int size, int offset, u64 side) ...@@ -973,7 +976,7 @@ int mf_setVmlinuxChunk(const char *buffer, int size, int offset, u64 side)
rc = -ENOMEM; rc = -ENOMEM;
} }
} }
out:
pci_free_consistent(NULL, size, page, dma_addr); pci_free_consistent(NULL, size, page, dma_addr);
return rc; return rc;
......
...@@ -223,7 +223,8 @@ static ssize_t ppc_htab_read(struct file * file, char * buf, ...@@ -223,7 +223,8 @@ static ssize_t ppc_htab_read(struct file * file, char * buf,
n = strlen(buffer) - *ppos; n = strlen(buffer) - *ppos;
if (n > count) if (n > count)
n = count; n = count;
copy_to_user(buf, buffer + *ppos, n); if (copy_to_user(buf, buffer + *ppos, n))
return -EFAULT;
*ppos += n; *ppos += n;
return n; return n;
} }
......
...@@ -99,9 +99,7 @@ static ssize_t rtas_log_read(struct file * file, char * buf, ...@@ -99,9 +99,7 @@ static ssize_t rtas_log_read(struct file * file, char * buf,
rtas_log_size -= 1; rtas_log_size -= 1;
spin_unlock(&rtas_log_lock); spin_unlock(&rtas_log_lock);
copy_to_user(buf, tmp, count); error = copy_to_user(buf, tmp, count) ? -EFAULT : count;
error = count;
out: out:
kfree(tmp); kfree(tmp);
return error; return error;
......
...@@ -820,14 +820,18 @@ int timod_getmsg(unsigned int fd, char *ctl_buf, int ctl_maxlen, s32 *ctl_len, ...@@ -820,14 +820,18 @@ int timod_getmsg(unsigned int fd, char *ctl_buf, int ctl_maxlen, s32 *ctl_len,
if (error && ctl_maxlen > sizeof(udi) && sock->state == TS_IDLE) { if (error && ctl_maxlen > sizeof(udi) && sock->state == TS_IDLE) {
SOLD("generating udi"); SOLD("generating udi");
udi.PRIM_type = T_UNITDATA_IND; udi.PRIM_type = T_UNITDATA_IND;
get_user(udi.SRC_length, ctl_len); if (get_user(udi.SRC_length, ctl_len))
return -EFAULT;
udi.SRC_offset = sizeof(udi); udi.SRC_offset = sizeof(udi);
udi.OPT_length = udi.OPT_offset = 0; udi.OPT_length = udi.OPT_offset = 0;
copy_to_user(ctl_buf, &udi, sizeof(udi)); if (copy_to_user(ctl_buf, &udi, sizeof(udi)) ||
put_user(sizeof(udi)+udi.SRC_length, ctl_len); put_user(sizeof(udi)+udi.SRC_length, ctl_len))
return -EFAULT;
SOLD("udi done"); SOLD("udi done");
} else } else {
put_user(0, ctl_len); if (put_user(0, ctl_len))
return -EFAULT;
}
put_user(error, data_len); put_user(error, data_len);
SOLD("done"); SOLD("done");
return 0; return 0;
......
...@@ -139,7 +139,10 @@ static inline ssize_t hci_vhci_get_user(struct hci_vhci_struct *hci_vhci, const ...@@ -139,7 +139,10 @@ static inline ssize_t hci_vhci_get_user(struct hci_vhci_struct *hci_vhci, const
if (!(skb = bluez_skb_alloc(count, GFP_KERNEL))) if (!(skb = bluez_skb_alloc(count, GFP_KERNEL)))
return -ENOMEM; return -ENOMEM;
copy_from_user(skb_put(skb, count), buf, count); if (copy_from_user(skb_put(skb, count), buf, count)) {
kfree_skb(skb);
return -EFAULT;
}
skb->dev = (void *) &hci_vhci->hdev; skb->dev = (void *) &hci_vhci->hdev;
skb->pkt_type = *((__u8 *) skb->data); skb->pkt_type = *((__u8 *) skb->data);
...@@ -170,7 +173,8 @@ static inline ssize_t hci_vhci_put_user(struct hci_vhci_struct *hci_vhci, ...@@ -170,7 +173,8 @@ static inline ssize_t hci_vhci_put_user(struct hci_vhci_struct *hci_vhci,
char *ptr = buf; char *ptr = buf;
len = MIN(skb->len, len); len = MIN(skb->len, len);
copy_to_user(ptr, skb->data, len); if (copy_to_user(ptr, skb->data, len))
return -EFAULT;
total += len; total += len;
hci_vhci->hdev.stat.byte_tx += len; hci_vhci->hdev.stat.byte_tx += len;
......
...@@ -2619,13 +2619,14 @@ static int read_audio(struct cdrom_read_audio *ra) ...@@ -2619,13 +2619,14 @@ static int read_audio(struct cdrom_read_audio *ra)
retval = -EIO; retval = -EIO;
goto exit_read_audio; goto exit_read_audio;
} }
} else { } else if (copy_to_user((char *)(ra->buf +
copy_to_user((char *) (ra->buf +
(CD_FRAMESIZE_RAW (CD_FRAMESIZE_RAW
* cframe)), * cframe)),
(char *) (char *)
readahead_buffer, readahead_buffer,
CD_FRAMESIZE_RAW); CD_FRAMESIZE_RAW)) {
retval = -EFAULT;
goto exit_read_audio;
} }
} else { } else {
printk printk
...@@ -2635,12 +2636,12 @@ static int read_audio(struct cdrom_read_audio *ra) ...@@ -2635,12 +2636,12 @@ static int read_audio(struct cdrom_read_audio *ra)
retval = -EIO; retval = -EIO;
goto exit_read_audio; goto exit_read_audio;
} }
} else { } else if (copy_to_user((char *)(ra->buf + (CD_FRAMESIZE_RAW *
copy_to_user((char *) (ra->buf + cframe)),
(CD_FRAMESIZE_RAW * (char *)readahead_buffer,
cframe)), CD_FRAMESIZE_RAW)) {
(char *) readahead_buffer, retval = -EFAULT;
CD_FRAMESIZE_RAW); goto exit_read_audio;
} }
cframe++; cframe++;
......
...@@ -1445,10 +1445,8 @@ static int cdromplaymsf(unsigned long arg) ...@@ -1445,10 +1445,8 @@ static int cdromplaymsf(unsigned long arg)
int status; int status;
struct cdrom_msf msf; struct cdrom_msf msf;
status = verify_area(VERIFY_READ, (void *) arg, sizeof msf); if (copy_from_user(&msf, (void *) arg, sizeof msf))
if (status) return -EFAULT;
return status;
copy_from_user(&msf, (void *) arg, sizeof msf);
bin2bcd(&msf); bin2bcd(&msf);
status = exec_long_cmd(COMPLAY, &msf); status = exec_long_cmd(COMPLAY, &msf);
...@@ -1469,10 +1467,8 @@ static int cdromplaytrkind(unsigned long arg) ...@@ -1469,10 +1467,8 @@ static int cdromplaytrkind(unsigned long arg)
struct cdrom_ti ti; struct cdrom_ti ti;
struct cdrom_msf msf; struct cdrom_msf msf;
status = verify_area(VERIFY_READ, (void *) arg, sizeof ti); if (copy_from_user(&ti, (void *) arg, sizeof ti))
if (status) return -EFAULT;
return status;
copy_from_user(&ti, (void *) arg, sizeof ti);
if (ti.cdti_trk0 < disk_info.first if (ti.cdti_trk0 < disk_info.first
|| ti.cdti_trk0 > disk_info.last || ti.cdti_trk0 > disk_info.last
...@@ -1514,15 +1510,10 @@ static int cdromreadtochdr(unsigned long arg) ...@@ -1514,15 +1510,10 @@ static int cdromreadtochdr(unsigned long arg)
int status; int status;
struct cdrom_tochdr tochdr; struct cdrom_tochdr tochdr;
status = verify_area(VERIFY_WRITE, (void *) arg, sizeof tochdr);
if (status)
return status;
tochdr.cdth_trk0 = disk_info.first; tochdr.cdth_trk0 = disk_info.first;
tochdr.cdth_trk1 = disk_info.last; tochdr.cdth_trk1 = disk_info.last;
copy_to_user((void *) arg, &tochdr, sizeof tochdr); return copy_to_user((void *)arg, &tochdr, sizeof tochdr) ? -EFAULT : 0;
return 0;
} }
...@@ -1532,10 +1523,8 @@ static int cdromreadtocentry(unsigned long arg) ...@@ -1532,10 +1523,8 @@ static int cdromreadtocentry(unsigned long arg)
struct cdrom_tocentry entry; struct cdrom_tocentry entry;
struct cdrom_subchnl *tocptr; struct cdrom_subchnl *tocptr;
status = verify_area(VERIFY_WRITE, (void *) arg, sizeof entry); if (copy_from_user(&entry, (void *) arg, sizeof entry))
if (status) return -EFAULT;
return status;
copy_from_user(&entry, (void *) arg, sizeof entry);
if (entry.cdte_track == CDROM_LEADOUT) if (entry.cdte_track == CDROM_LEADOUT)
tocptr = &toc[disk_info.last + 1]; tocptr = &toc[disk_info.last + 1];
...@@ -1557,8 +1546,7 @@ static int cdromreadtocentry(unsigned long arg) ...@@ -1557,8 +1546,7 @@ static int cdromreadtocentry(unsigned long arg)
else if (entry.cdte_format != CDROM_MSF) else if (entry.cdte_format != CDROM_MSF)
return -EINVAL; return -EINVAL;
copy_to_user((void *) arg, &entry, sizeof entry); return copy_to_user((void *)arg, &entry, sizeof entry) ? -EFAULT : 0;
return 0;
} }
...@@ -1568,10 +1556,8 @@ static int cdromvolctrl(unsigned long arg) ...@@ -1568,10 +1556,8 @@ static int cdromvolctrl(unsigned long arg)
struct cdrom_volctrl volctrl; struct cdrom_volctrl volctrl;
struct cdrom_msf msf; struct cdrom_msf msf;
status = verify_area(VERIFY_READ, (void *) arg, sizeof volctrl); if (copy_from_user(&volctrl, (char *) arg, sizeof volctrl))
if (status) return -EFAULT;
return status;
copy_from_user(&volctrl, (char *) arg, sizeof volctrl);
msf.cdmsf_min0 = 0x10; msf.cdmsf_min0 = 0x10;
msf.cdmsf_sec0 = 0x32; msf.cdmsf_sec0 = 0x32;
...@@ -1594,10 +1580,8 @@ static int cdromsubchnl(unsigned long arg) ...@@ -1594,10 +1580,8 @@ static int cdromsubchnl(unsigned long arg)
int status; int status;
struct cdrom_subchnl subchnl; struct cdrom_subchnl subchnl;
status = verify_area(VERIFY_WRITE, (void *) arg, sizeof subchnl); if (copy_from_user(&subchnl, (void *) arg, sizeof subchnl))
if (status) return -EFAULT;
return status;
copy_from_user(&subchnl, (void *) arg, sizeof subchnl);
if (subchnl.cdsc_format != CDROM_LBA if (subchnl.cdsc_format != CDROM_LBA
&& subchnl.cdsc_format != CDROM_MSF) && subchnl.cdsc_format != CDROM_MSF)
...@@ -1609,7 +1593,8 @@ static int cdromsubchnl(unsigned long arg) ...@@ -1609,7 +1593,8 @@ static int cdromsubchnl(unsigned long arg)
return -EIO; return -EIO;
} }
copy_to_user((void *) arg, &subchnl, sizeof subchnl); if (copy_to_user((void *)arg, &subchnl, sizeof subchnl))
return -EFAULT;
return 0; return 0;
} }
...@@ -1620,10 +1605,8 @@ static int cdromread(unsigned long arg, int blocksize, int cmd) ...@@ -1620,10 +1605,8 @@ static int cdromread(unsigned long arg, int blocksize, int cmd)
struct cdrom_msf msf; struct cdrom_msf msf;
char buf[CD_FRAMESIZE_RAWER]; char buf[CD_FRAMESIZE_RAWER];
status = verify_area(VERIFY_WRITE, (void *) arg, blocksize); if (copy_from_user(&msf, (void *) arg, sizeof msf))
if (status) return -EFAULT;
return status;
copy_from_user(&msf, (void *) arg, sizeof msf);
bin2bcd(&msf); bin2bcd(&msf);
msf.cdmsf_min1 = 0; msf.cdmsf_min1 = 0;
...@@ -1637,8 +1620,7 @@ static int cdromread(unsigned long arg, int blocksize, int cmd) ...@@ -1637,8 +1620,7 @@ static int cdromread(unsigned long arg, int blocksize, int cmd)
return -EIO; return -EIO;
fetch_data(buf, blocksize); fetch_data(buf, blocksize);
copy_to_user((void *) arg, &buf, blocksize); return copy_to_user((void *)arg, &buf, blocksize) ? -EFAULT : 0;
return 0;
} }
...@@ -1647,10 +1629,8 @@ static int cdromseek(unsigned long arg) ...@@ -1647,10 +1629,8 @@ static int cdromseek(unsigned long arg)
int status; int status;
struct cdrom_msf msf; struct cdrom_msf msf;
status = verify_area(VERIFY_READ, (void *) arg, sizeof msf); if (copy_from_user(&msf, (void *)arg, sizeof msf))
if (status) return -EFAULT;
return status;
copy_from_user(&msf, (void *) arg, sizeof msf);
bin2bcd(&msf); bin2bcd(&msf);
status = exec_seek_cmd(COMSEEK, &msf); status = exec_seek_cmd(COMSEEK, &msf);
...@@ -1669,10 +1649,8 @@ static int cdrommultisession(unsigned long arg) ...@@ -1669,10 +1649,8 @@ static int cdrommultisession(unsigned long arg)
int status; int status;
struct cdrom_multisession ms; struct cdrom_multisession ms;
status = verify_area(VERIFY_WRITE, (void*) arg, sizeof ms); if (copy_from_user(&ms, (void*) arg, sizeof ms))
if (status) return -EFAULT;
return status;
copy_from_user(&ms, (void*) arg, sizeof ms);
ms.addr.msf.minute = disk_info.last_session.minute; ms.addr.msf.minute = disk_info.last_session.minute;
ms.addr.msf.second = disk_info.last_session.second; ms.addr.msf.second = disk_info.last_session.second;
...@@ -1686,8 +1664,8 @@ static int cdrommultisession(unsigned long arg) ...@@ -1686,8 +1664,8 @@ static int cdrommultisession(unsigned long arg)
ms.xa_flag = disk_info.xa; ms.xa_flag = disk_info.xa;
copy_to_user((void*) arg, &ms, if (copy_to_user((void *)arg, &ms, sizeof(struct cdrom_multisession)))
sizeof(struct cdrom_multisession)); return -EFAULT;
#if DEBUG_MULTIS #if DEBUG_MULTIS
if (ms.addr_format == CDROM_MSF) if (ms.addr_format == CDROM_MSF)
......
...@@ -4255,9 +4255,9 @@ static int sbpcd_dev_ioctl(struct cdrom_device_info *cdi, u_int cmd, ...@@ -4255,9 +4255,9 @@ static int sbpcd_dev_ioctl(struct cdrom_device_info *cdi, u_int cmd,
if (D_S[d].has_data>1) RETURN_UP(-EBUSY); if (D_S[d].has_data>1) RETURN_UP(-EBUSY);
#endif /* SAFE_MIXED */ #endif /* SAFE_MIXED */
if (D_S[d].aud_buf==NULL) RETURN_UP(-EINVAL); if (D_S[d].aud_buf==NULL) RETURN_UP(-EINVAL);
i=verify_area(VERIFY_READ, (void *) arg, sizeof(struct cdrom_read_audio)); if (copy_from_user(&read_audio, (void *)arg,
if (i) RETURN_UP(i); sizeof(struct cdrom_read_audio)))
copy_from_user(&read_audio, (void *) arg, sizeof(struct cdrom_read_audio)); RETURN_UP(-EFAULT);
if (read_audio.nframes < 0 || read_audio.nframes>D_S[d].sbp_audsiz) RETURN_UP(-EINVAL); if (read_audio.nframes < 0 || read_audio.nframes>D_S[d].sbp_audsiz) RETURN_UP(-EINVAL);
i=verify_area(VERIFY_WRITE, read_audio.buf, i=verify_area(VERIFY_WRITE, read_audio.buf,
read_audio.nframes*CD_FRAMESIZE_RAW); read_audio.nframes*CD_FRAMESIZE_RAW);
...@@ -4454,9 +4454,10 @@ static int sbpcd_dev_ioctl(struct cdrom_device_info *cdi, u_int cmd, ...@@ -4454,9 +4454,10 @@ static int sbpcd_dev_ioctl(struct cdrom_device_info *cdi, u_int cmd,
msg(DBG_AUD,"read_audio: cc_ReadError was necessary after read: %02X\n",i); msg(DBG_AUD,"read_audio: cc_ReadError was necessary after read: %02X\n",i);
continue; continue;
} }
copy_to_user((u_char *) read_audio.buf, if (copy_to_user((u_char *)read_audio.buf,
(u_char *) D_S[d].aud_buf, (u_char *) D_S[d].aud_buf,
read_audio.nframes*CD_FRAMESIZE_RAW); read_audio.nframes * CD_FRAMESIZE_RAW))
RETURN_UP(-EFAULT);
msg(DBG_AUD,"read_audio: copy_to_user done.\n"); msg(DBG_AUD,"read_audio: copy_to_user done.\n");
break; break;
} }
......
...@@ -795,16 +795,12 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp, ...@@ -795,16 +795,12 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp,
case CDROMPLAYTRKIND:{ case CDROMPLAYTRKIND:{
struct cdrom_ti ti; struct cdrom_ti ti;
int s; int s = -EFAULT;
#if defined( SJCD_TRACE ) #if defined( SJCD_TRACE )
printk("SJCD: ioctl: playtrkind\n"); printk("SJCD: ioctl: playtrkind\n");
#endif #endif
if ((s = if (!copy_from_user(&ti, (void *) arg, sizeof(ti))) {
verify_area(VERIFY_READ, (void *) arg, s = 0;
sizeof(ti))) == 0) {
copy_from_user(&ti, (void *) arg,
sizeof(ti));
if (ti.cdti_trk0 < sjcd_first_track_no) if (ti.cdti_trk0 < sjcd_first_track_no)
return (-EINVAL); return (-EINVAL);
if (ti.cdti_trk1 > sjcd_last_track_no) if (ti.cdti_trk1 > sjcd_last_track_no)
...@@ -879,19 +875,15 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp, ...@@ -879,19 +875,15 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp,
case CDROMREADTOCHDR:{ case CDROMREADTOCHDR:{
struct cdrom_tochdr toc_header; struct cdrom_tochdr toc_header;
int s;
#if defined (SJCD_TRACE ) #if defined (SJCD_TRACE )
printk("SJCD: ioctl: readtocheader\n"); printk("SJCD: ioctl: readtocheader\n");
#endif #endif
if ((s = toc_header.cdth_trk0 = sjcd_first_track_no;
verify_area(VERIFY_WRITE, (void *) arg, toc_header.cdth_trk1 = sjcd_last_track_no;
sizeof(toc_header))) == 0) { if (copy_to_user((void *)arg, &toc_header,
toc_header.cdth_trk0 = sjcd_first_track_no; sizeof(toc_header)))
toc_header.cdth_trk1 = sjcd_last_track_no; return -EFAULT;
copy_to_user((void *) arg, &toc_header, return 0;
sizeof(toc_header));
}
return (s);
} }
case CDROMREADTOCENTRY:{ case CDROMREADTOCENTRY:{
...@@ -942,8 +934,9 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp, ...@@ -942,8 +934,9 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp,
default: default:
return (-EINVAL); return (-EINVAL);
} }
copy_to_user((void *) arg, &toc_entry, if (copy_to_user((void *) arg, &toc_entry,
sizeof(toc_entry)); sizeof(toc_entry)))
s = -EFAULT;
} }
return (s); return (s);
} }
...@@ -998,8 +991,9 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp, ...@@ -998,8 +991,9 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp,
default: default:
return (-EINVAL); return (-EINVAL);
} }
copy_to_user((void *) arg, &subchnl, if (copy_to_user((void *) arg, &subchnl,
sizeof(subchnl)); sizeof(subchnl)))
s = -EFAULT;
} }
return (s); return (s);
} }
...@@ -1041,16 +1035,13 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp, ...@@ -1041,16 +1035,13 @@ static int sjcd_ioctl(struct inode *ip, struct file *fp,
#if defined( SJCD_GATHER_STAT ) #if defined( SJCD_GATHER_STAT )
case 0xABCD:{ case 0xABCD:{
int s;
#if defined( SJCD_TRACE ) #if defined( SJCD_TRACE )
printk("SJCD: ioctl: statistic\n"); printk("SJCD: ioctl: statistic\n");
#endif #endif
if ((s = if (copy_to_user((void *)arg, &statistic,
verify_area(VERIFY_WRITE, (void *) arg, sizeof(statistic)))
sizeof(statistic))) == 0) return -EFAULT;
copy_to_user((void *) arg, &statistic, return 0;
sizeof(statistic));
return (s);
} }
#endif #endif
......
...@@ -1022,11 +1022,8 @@ sony_get_subchnl_info(long arg) ...@@ -1022,11 +1022,8 @@ sony_get_subchnl_info(long arg)
if (!sony_toc_read) { if (!sony_toc_read) {
return -EIO; return -EIO;
} }
err = verify_area(VERIFY_WRITE /* and read */ , (char *)arg, sizeof schi); if (copy_from_user(&schi, (char *)arg, sizeof schi))
if (err) return -EFAULT;
return err;
copy_from_user(&schi, (char *)arg, sizeof schi);
switch (sony_audio_status) { switch (sony_audio_status) {
case CDROM_AUDIO_PLAY: case CDROM_AUDIO_PLAY:
...@@ -1041,7 +1038,8 @@ sony_get_subchnl_info(long arg) ...@@ -1041,7 +1038,8 @@ sony_get_subchnl_info(long arg)
case CDROM_AUDIO_NO_STATUS: case CDROM_AUDIO_NO_STATUS:
schi.cdsc_audiostatus = sony_audio_status; schi.cdsc_audiostatus = sony_audio_status;
copy_to_user((char *)arg, &schi, sizeof schi); if (copy_to_user((char *)arg, &schi, sizeof schi))
return -EFAULT;
return 0; return 0;
break; break;
...@@ -1068,8 +1066,7 @@ sony_get_subchnl_info(long arg) ...@@ -1068,8 +1066,7 @@ sony_get_subchnl_info(long arg)
schi.cdsc_absaddr.lba = msf_to_log(last_sony_subcode->abs_msf); schi.cdsc_absaddr.lba = msf_to_log(last_sony_subcode->abs_msf);
schi.cdsc_reladdr.lba = msf_to_log(last_sony_subcode->rel_msf); schi.cdsc_reladdr.lba = msf_to_log(last_sony_subcode->rel_msf);
} }
copy_to_user((char *)arg, &schi, sizeof schi); return copy_to_user((char *)arg, &schi, sizeof schi) ? -EFAULT : 0;
return 0;
} }
...@@ -1218,12 +1215,10 @@ cdu_ioctl(struct inode *inode, ...@@ -1218,12 +1215,10 @@ cdu_ioctl(struct inode *inode,
if (!sony_toc_read) if (!sony_toc_read)
return -EIO; return -EIO;
hdr = (struct cdrom_tochdr *)arg; hdr = (struct cdrom_tochdr *)arg;
err = verify_area(VERIFY_WRITE, hdr, sizeof *hdr);
if (err)
return err;
loc_hdr.cdth_trk0 = bcd_to_int(sony_toc->first_track_num); loc_hdr.cdth_trk0 = bcd_to_int(sony_toc->first_track_num);
loc_hdr.cdth_trk1 = bcd_to_int(sony_toc->last_track_num); loc_hdr.cdth_trk1 = bcd_to_int(sony_toc->last_track_num);
copy_to_user(hdr, &loc_hdr, sizeof *hdr); if (copy_to_user(hdr, &loc_hdr, sizeof *hdr))
return -EFAULT;
} }
return 0; return 0;
break; break;
...@@ -1240,11 +1235,9 @@ cdu_ioctl(struct inode *inode, ...@@ -1240,11 +1235,9 @@ cdu_ioctl(struct inode *inode,
return -EIO; return -EIO;
} }
entry = (struct cdrom_tocentry *)arg; entry = (struct cdrom_tocentry *)arg;
err = verify_area(VERIFY_WRITE /* and read */ , entry, sizeof *entry);
if (err)
return err;
copy_from_user(&loc_entry, entry, sizeof loc_entry); if (copy_from_user(&loc_entry, entry, sizeof loc_entry))
return -EFAULT;
/* Lead out is handled separately since it is special. */ /* Lead out is handled separately since it is special. */
if (loc_entry.cdte_track == CDROM_LEADOUT) { if (loc_entry.cdte_track == CDROM_LEADOUT) {
...@@ -1268,7 +1261,8 @@ cdu_ioctl(struct inode *inode, ...@@ -1268,7 +1261,8 @@ cdu_ioctl(struct inode *inode,
loc_entry.cdte_addr.msf.second = bcd_to_int(*(msf_val + 1)); loc_entry.cdte_addr.msf.second = bcd_to_int(*(msf_val + 1));
loc_entry.cdte_addr.msf.frame = bcd_to_int(*(msf_val + 2)); loc_entry.cdte_addr.msf.frame = bcd_to_int(*(msf_val + 2));
} }
copy_to_user(entry, &loc_entry, sizeof *entry); if (copy_to_user(entry, &loc_entry, sizeof *entry))
return -EFAULT;
} }
return 0; return 0;
break; break;
...@@ -1281,11 +1275,9 @@ cdu_ioctl(struct inode *inode, ...@@ -1281,11 +1275,9 @@ cdu_ioctl(struct inode *inode,
sony_get_toc(); sony_get_toc();
if (!sony_toc_read) if (!sony_toc_read)
return -EIO; return -EIO;
err = verify_area(VERIFY_READ, (char *)arg, sizeof ti);
if (err)
return err;
copy_from_user(&ti, (char *)arg, sizeof ti); if (copy_from_user(&ti, (char *)arg, sizeof ti))
return -EFAULT;
if ((ti.cdti_trk0 < sony_toc->first_track_num) if ((ti.cdti_trk0 < sony_toc->first_track_num)
|| (sony_toc->last_track_num < ti.cdti_trk0) || (sony_toc->last_track_num < ti.cdti_trk0)
|| (ti.cdti_trk1 < ti.cdti_trk0)) { || (ti.cdti_trk1 < ti.cdti_trk0)) {
...@@ -1352,11 +1344,9 @@ cdu_ioctl(struct inode *inode, ...@@ -1352,11 +1344,9 @@ cdu_ioctl(struct inode *inode,
{ {
struct cdrom_volctrl volctrl; struct cdrom_volctrl volctrl;
err = verify_area(VERIFY_READ, (char *)arg, sizeof volctrl); if (copy_from_user(&volctrl, (char *)arg,
if (err) sizeof volctrl))
return err; return -EFAULT;
copy_from_user(&volctrl, (char *)arg, sizeof volctrl);
cmd_buff[0] = SONY535_SET_VOLUME; cmd_buff[0] = SONY535_SET_VOLUME;
cmd_buff[1] = volctrl.channel0; cmd_buff[1] = volctrl.channel0;
cmd_buff[2] = volctrl.channel1; cmd_buff[2] = volctrl.channel1;
......
...@@ -1209,7 +1209,8 @@ int i810_ov0_info(struct inode *inode, struct file *filp, ...@@ -1209,7 +1209,8 @@ int i810_ov0_info(struct inode *inode, struct file *filp,
data.offset = dev_priv->overlay_offset; data.offset = dev_priv->overlay_offset;
data.physical = dev_priv->overlay_physical; data.physical = dev_priv->overlay_physical;
copy_to_user((drm_i810_overlay_t *)arg,&data,sizeof(data)); if (copy_to_user((drm_i810_overlay_t *)arg,&data,sizeof(data)))
return -EFAULT;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment