Commit d094cdb2 authored by Alexander Viro's avatar Alexander Viro Committed by Linus Torvalds

[PATCH] sparse: make sg_io_hdr->cmdp a __user pointer

copying moved into sg_io()
parent 14044746
...@@ -113,11 +113,14 @@ static int sg_io(request_queue_t *q, struct gendisk *bd_disk, ...@@ -113,11 +113,14 @@ static int sg_io(request_queue_t *q, struct gendisk *bd_disk,
struct request *rq; struct request *rq;
struct bio *bio; struct bio *bio;
char sense[SCSI_SENSE_BUFFERSIZE]; char sense[SCSI_SENSE_BUFFERSIZE];
unsigned char cmd[BLK_MAX_CDB];
if (hdr->interface_id != 'S') if (hdr->interface_id != 'S')
return -EINVAL; return -EINVAL;
if (hdr->cmd_len > sizeof(rq->cmd)) if (hdr->cmd_len > BLK_MAX_CDB)
return -EINVAL; return -EINVAL;
if (copy_from_user(cmd, hdr->cmdp, hdr->cmd_len))
return -EFAULT;
/* /*
* we'll do that later * we'll do that later
...@@ -156,7 +159,7 @@ static int sg_io(request_queue_t *q, struct gendisk *bd_disk, ...@@ -156,7 +159,7 @@ static int sg_io(request_queue_t *q, struct gendisk *bd_disk,
* fill in request structure * fill in request structure
*/ */
rq->cmd_len = hdr->cmd_len; rq->cmd_len = hdr->cmd_len;
memcpy(rq->cmd, hdr->cmdp, hdr->cmd_len); memcpy(rq->cmd, cmd, hdr->cmd_len);
if (sizeof(rq->cmd) != hdr->cmd_len) if (sizeof(rq->cmd) != hdr->cmd_len)
memset(rq->cmd + hdr->cmd_len, 0, sizeof(rq->cmd) - hdr->cmd_len); memset(rq->cmd + hdr->cmd_len, 0, sizeof(rq->cmd) - hdr->cmd_len);
...@@ -352,26 +355,15 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg) ...@@ -352,26 +355,15 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg)
break; break;
case SG_IO: { case SG_IO: {
struct sg_io_hdr hdr; struct sg_io_hdr hdr;
unsigned char cdb[BLK_MAX_CDB], *old_cdb;
err = -EFAULT; err = -EFAULT;
if (copy_from_user(&hdr, (struct sg_io_hdr *) arg, sizeof(hdr))) if (copy_from_user(&hdr, (struct sg_io_hdr __user *) arg, sizeof(hdr)))
break;
err = -EINVAL;
if (hdr.cmd_len > sizeof(rq->cmd))
break;
err = -EFAULT;
if (copy_from_user(cdb, hdr.cmdp, hdr.cmd_len))
break; break;
old_cdb = hdr.cmdp;
hdr.cmdp = cdb;
err = sg_io(q, bd_disk, &hdr); err = sg_io(q, bd_disk, &hdr);
if (err == -EFAULT) if (err == -EFAULT)
break; break;
hdr.cmdp = old_cdb; if (copy_to_user((struct sg_io_hdr __user *) arg, &hdr, sizeof(hdr)))
if (copy_to_user((struct sg_io_hdr *) arg, &hdr, sizeof(hdr)))
err = -EFAULT; err = -EFAULT;
break; break;
} }
...@@ -380,7 +372,7 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg) ...@@ -380,7 +372,7 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg)
struct sg_io_hdr hdr; struct sg_io_hdr hdr;
err = -EFAULT; err = -EFAULT;
if (copy_from_user(&cgc, (struct cdrom_generic_command *) arg, sizeof(cgc))) if (copy_from_user(&cgc, (struct cdrom_generic_command __user *) arg, sizeof(cgc)))
break; break;
cgc.timeout = clock_t_to_jiffies(cgc.timeout); cgc.timeout = clock_t_to_jiffies(cgc.timeout);
memset(&hdr, 0, sizeof(hdr)); memset(&hdr, 0, sizeof(hdr));
...@@ -412,7 +404,7 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg) ...@@ -412,7 +404,7 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg)
if (hdr.sbp) if (hdr.sbp)
hdr.mx_sb_len = sizeof(struct request_sense); hdr.mx_sb_len = sizeof(struct request_sense);
hdr.timeout = cgc.timeout; hdr.timeout = cgc.timeout;
hdr.cmdp = cgc.cmd; hdr.cmdp = &((struct cdrom_generic_command __user*) arg)->cmd;
hdr.cmd_len = sizeof(cgc.cmd); hdr.cmd_len = sizeof(cgc.cmd);
err = sg_io(q, bd_disk, &hdr); err = sg_io(q, bd_disk, &hdr);
...@@ -424,7 +416,7 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg) ...@@ -424,7 +416,7 @@ int scsi_cmd_ioctl(struct gendisk *bd_disk, unsigned int cmd, unsigned long arg)
cgc.stat = err; cgc.stat = err;
cgc.buflen = hdr.resid; cgc.buflen = hdr.resid;
if (copy_to_user((struct cdrom_generic_command *) arg, &cgc, sizeof(cgc))) if (copy_to_user((struct cdrom_generic_command __user *) arg, &cgc, sizeof(cgc)))
err = -EFAULT; err = -EFAULT;
break; break;
......
...@@ -106,7 +106,7 @@ typedef struct sg_io_hdr ...@@ -106,7 +106,7 @@ typedef struct sg_io_hdr
unsigned int dxfer_len; /* [i] byte count of data transfer */ unsigned int dxfer_len; /* [i] byte count of data transfer */
void * dxferp; /* [i], [*io] points to data transfer memory void * dxferp; /* [i], [*io] points to data transfer memory
or scatter gather list */ or scatter gather list */
unsigned char * cmdp; /* [i], [*i] points to command to perform */ unsigned char __user *cmdp; /* [i], [*i] points to command to perform */
unsigned char * sbp; /* [i], [*o] points to sense_buffer memory */ unsigned char * sbp; /* [i], [*o] points to sense_buffer memory */
unsigned int timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */ unsigned int timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */
unsigned int flags; /* [i] 0 -> default, see SG_FLAG... */ unsigned int flags; /* [i] 0 -> default, see SG_FLAG... */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment