Loading drivers/staging/comedi/comedi_fops.c +24 −24 Original line number Original line Diff line number Diff line Loading @@ -1741,9 +1741,8 @@ static int __comedi_get_user_chanlist(struct comedi_device *dev, * possibly modified comedi_cmd structure (when -EAGAIN returned) * possibly modified comedi_cmd structure (when -EAGAIN returned) */ */ static int do_cmd_ioctl(struct comedi_device *dev, static int do_cmd_ioctl(struct comedi_device *dev, struct comedi_cmd __user *arg, void *file) struct comedi_cmd *cmd, bool *copy, void *file) { { struct comedi_cmd cmd; struct comedi_subdevice *s; struct comedi_subdevice *s; struct comedi_async *async; struct comedi_async *async; unsigned int __user *user_chanlist; unsigned int __user *user_chanlist; Loading @@ -1751,20 +1750,15 @@ static int do_cmd_ioctl(struct comedi_device *dev, lockdep_assert_held(&dev->mutex); lockdep_assert_held(&dev->mutex); if (copy_from_user(&cmd, arg, sizeof(cmd))) { /* do some simple cmd validation */ dev_dbg(dev->class_dev, "bad cmd address\n"); ret = __comedi_get_user_cmd(dev, cmd); return -EFAULT; } /* get the user's cmd and do some simple validation */ ret = __comedi_get_user_cmd(dev, &cmd); if (ret) if (ret) return ret; return ret; /* save user's chanlist pointer so it can be restored later */ /* save user's chanlist pointer so it can be restored later */ user_chanlist = (unsigned int __user *)cmd.chanlist; user_chanlist = (unsigned int __user *)cmd->chanlist; s = &dev->subdevices[cmd.subdev]; s = &dev->subdevices[cmd->subdev]; async = s->async; async = s->async; /* are we locked? (ioctl lock) */ /* are we locked? (ioctl lock) */ Loading @@ -1780,13 +1774,13 @@ static int do_cmd_ioctl(struct comedi_device *dev, } } /* make sure channel/gain list isn't too short */ /* make sure channel/gain list isn't too short */ if (cmd.chanlist_len < 1) { if (cmd->chanlist_len < 1) { dev_dbg(dev->class_dev, "channel/gain list too short %u < 1\n", dev_dbg(dev->class_dev, "channel/gain list too short %u < 1\n", cmd.chanlist_len); cmd->chanlist_len); return -EINVAL; return -EINVAL; } } async->cmd = cmd; async->cmd = *cmd; async->cmd.data = NULL; async->cmd.data = NULL; /* load channel/gain list */ /* load channel/gain list */ Loading @@ -1798,15 +1792,11 @@ static int do_cmd_ioctl(struct comedi_device *dev, if (async->cmd.flags & CMDF_BOGUS || ret) { if (async->cmd.flags & CMDF_BOGUS || ret) { dev_dbg(dev->class_dev, "test returned %d\n", ret); dev_dbg(dev->class_dev, "test returned %d\n", ret); cmd = async->cmd; *cmd = async->cmd; /* restore chanlist pointer before copying back */ /* restore chanlist pointer before copying back */ cmd.chanlist = (unsigned int __force *)user_chanlist; cmd->chanlist = (unsigned int __force *)user_chanlist; cmd.data = NULL; cmd->data = NULL; if (copy_to_user(arg, &cmd, sizeof(cmd))) { *copy = true; dev_dbg(dev->class_dev, "fault writing cmd\n"); ret = -EFAULT; goto cleanup; } ret = -EAGAIN; ret = -EAGAIN; goto cleanup; goto cleanup; } } Loading Loading @@ -2207,9 +2197,19 @@ static long comedi_unlocked_ioctl(struct file *file, unsigned int cmd, case COMEDI_CANCEL: case COMEDI_CANCEL: rc = do_cancel_ioctl(dev, arg, file); rc = do_cancel_ioctl(dev, arg, file); break; break; case COMEDI_CMD: case COMEDI_CMD: { rc = do_cmd_ioctl(dev, (struct comedi_cmd __user *)arg, file); struct comedi_cmd cmd; bool copy = false; if (copy_from_user(&cmd, (void __user *)arg, sizeof(cmd))) { rc = -EFAULT; break; } rc = do_cmd_ioctl(dev, &cmd, ©, file); if (copy && copy_to_user((void __user *)arg, &cmd, sizeof(cmd))) rc = -EFAULT; break; break; } case COMEDI_CMDTEST: { case COMEDI_CMDTEST: { struct comedi_cmd cmd; struct comedi_cmd cmd; bool copy = false; bool copy = false; Loading Loading
drivers/staging/comedi/comedi_fops.c +24 −24 Original line number Original line Diff line number Diff line Loading @@ -1741,9 +1741,8 @@ static int __comedi_get_user_chanlist(struct comedi_device *dev, * possibly modified comedi_cmd structure (when -EAGAIN returned) * possibly modified comedi_cmd structure (when -EAGAIN returned) */ */ static int do_cmd_ioctl(struct comedi_device *dev, static int do_cmd_ioctl(struct comedi_device *dev, struct comedi_cmd __user *arg, void *file) struct comedi_cmd *cmd, bool *copy, void *file) { { struct comedi_cmd cmd; struct comedi_subdevice *s; struct comedi_subdevice *s; struct comedi_async *async; struct comedi_async *async; unsigned int __user *user_chanlist; unsigned int __user *user_chanlist; Loading @@ -1751,20 +1750,15 @@ static int do_cmd_ioctl(struct comedi_device *dev, lockdep_assert_held(&dev->mutex); lockdep_assert_held(&dev->mutex); if (copy_from_user(&cmd, arg, sizeof(cmd))) { /* do some simple cmd validation */ dev_dbg(dev->class_dev, "bad cmd address\n"); ret = __comedi_get_user_cmd(dev, cmd); return -EFAULT; } /* get the user's cmd and do some simple validation */ ret = __comedi_get_user_cmd(dev, &cmd); if (ret) if (ret) return ret; return ret; /* save user's chanlist pointer so it can be restored later */ /* save user's chanlist pointer so it can be restored later */ user_chanlist = (unsigned int __user *)cmd.chanlist; user_chanlist = (unsigned int __user *)cmd->chanlist; s = &dev->subdevices[cmd.subdev]; s = &dev->subdevices[cmd->subdev]; async = s->async; async = s->async; /* are we locked? (ioctl lock) */ /* are we locked? (ioctl lock) */ Loading @@ -1780,13 +1774,13 @@ static int do_cmd_ioctl(struct comedi_device *dev, } } /* make sure channel/gain list isn't too short */ /* make sure channel/gain list isn't too short */ if (cmd.chanlist_len < 1) { if (cmd->chanlist_len < 1) { dev_dbg(dev->class_dev, "channel/gain list too short %u < 1\n", dev_dbg(dev->class_dev, "channel/gain list too short %u < 1\n", cmd.chanlist_len); cmd->chanlist_len); return -EINVAL; return -EINVAL; } } async->cmd = cmd; async->cmd = *cmd; async->cmd.data = NULL; async->cmd.data = NULL; /* load channel/gain list */ /* load channel/gain list */ Loading @@ -1798,15 +1792,11 @@ static int do_cmd_ioctl(struct comedi_device *dev, if (async->cmd.flags & CMDF_BOGUS || ret) { if (async->cmd.flags & CMDF_BOGUS || ret) { dev_dbg(dev->class_dev, "test returned %d\n", ret); dev_dbg(dev->class_dev, "test returned %d\n", ret); cmd = async->cmd; *cmd = async->cmd; /* restore chanlist pointer before copying back */ /* restore chanlist pointer before copying back */ cmd.chanlist = (unsigned int __force *)user_chanlist; cmd->chanlist = (unsigned int __force *)user_chanlist; cmd.data = NULL; cmd->data = NULL; if (copy_to_user(arg, &cmd, sizeof(cmd))) { *copy = true; dev_dbg(dev->class_dev, "fault writing cmd\n"); ret = -EFAULT; goto cleanup; } ret = -EAGAIN; ret = -EAGAIN; goto cleanup; goto cleanup; } } Loading Loading @@ -2207,9 +2197,19 @@ static long comedi_unlocked_ioctl(struct file *file, unsigned int cmd, case COMEDI_CANCEL: case COMEDI_CANCEL: rc = do_cancel_ioctl(dev, arg, file); rc = do_cancel_ioctl(dev, arg, file); break; break; case COMEDI_CMD: case COMEDI_CMD: { rc = do_cmd_ioctl(dev, (struct comedi_cmd __user *)arg, file); struct comedi_cmd cmd; bool copy = false; if (copy_from_user(&cmd, (void __user *)arg, sizeof(cmd))) { rc = -EFAULT; break; } rc = do_cmd_ioctl(dev, &cmd, ©, file); if (copy && copy_to_user((void __user *)arg, &cmd, sizeof(cmd))) rc = -EFAULT; break; break; } case COMEDI_CMDTEST: { case COMEDI_CMDTEST: { struct comedi_cmd cmd; struct comedi_cmd cmd; bool copy = false; bool copy = false; Loading
Al Viro <viro@zeniv.linux.org.uk>Al Viro <viro@zeniv.linux.org.uk>