drivers/block/*.c

  - fix copy_{to,from}_user error handling, thanks to Rusty for
    pointing this out on lkml

diff --git a/drivers/block/DAC960.c b/drivers/block/DAC960.c
index 12481db1849ef87588b079a523cd8bb352ce34aa..7ba55877b5a931c37b6f03731db7e6bf8504d30c 100644 (file)
--- a/drivers/block/DAC960.c
+++ b/drivers/block/DAC960.c
@@ -5473,9 +5473,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
        int ControllerNumber, DataTransferLength;
        unsigned char *DataTransferBuffer = NULL;
        if (UserSpaceUserCommand == NULL) return -EINVAL;
-       ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
-                                  sizeof(DAC960_V1_UserCommand_T));
-       if (ErrorCode != 0) goto Failure1;
+       if (copy_from_user(&UserCommand, UserSpaceUserCommand,
+                                  sizeof(DAC960_V1_UserCommand_T))) {
+               ErrorCode = -EFAULT;
+               goto Failure1;
+       }
        ControllerNumber = UserCommand.ControllerNumber;
        if (ControllerNumber < 0 ||
            ControllerNumber > DAC960_ControllerCount - 1)
@@ -5488,9 +5490,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
        if (CommandOpcode & 0x80) return -EINVAL;
        if (CommandOpcode == DAC960_V1_DCDB)
          {
-           ErrorCode =
-             copy_from_user(&DCDB, UserCommand.DCDB, sizeof(DAC960_V1_DCDB_T));
-           if (ErrorCode != 0) goto Failure1;
+           if (copy_from_user(&DCDB, UserCommand.DCDB,
+                              sizeof(DAC960_V1_DCDB_T))) {
+               ErrorCode = -EFAULT;
+               goto Failure1;
+           }
            if (DCDB.Channel >= DAC960_V1_MaxChannels) return -EINVAL;
            if (!((DataTransferLength == 0 &&
                   DCDB.Direction
@@ -5516,10 +5520,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
          {
            DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL);
            if (DataTransferBuffer == NULL) return -ENOMEM;
-           ErrorCode = copy_from_user(DataTransferBuffer,
-                                      UserCommand.DataTransferBuffer,
-                                      -DataTransferLength);
-           if (ErrorCode != 0) goto Failure1;
+           if (copy_from_user(DataTransferBuffer,
+                              UserCommand.DataTransferBuffer,
+                              -DataTransferLength)) {
+               ErrorCode = -EFAULT;
+               goto Failure1;
+           }
          }
        if (CommandOpcode == DAC960_V1_DCDB)
          {
@@ -5567,17 +5573,21 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
        DAC960_ReleaseControllerLock(Controller, &ProcessorFlags);
        if (DataTransferLength > 0)
          {
-           ErrorCode = copy_to_user(UserCommand.DataTransferBuffer,
-                                    DataTransferBuffer, DataTransferLength);
-           if (ErrorCode != 0) goto Failure1;
+           if (copy_to_user(UserCommand.DataTransferBuffer,
+                            DataTransferBuffer, DataTransferLength))
+               ErrorCode = -EFAULT;
+               goto Failure1;
+         }
          }
        if (CommandOpcode == DAC960_V1_DCDB)
          {
            Controller->V1.DirectCommandActive[DCDB.Channel]
                                              [DCDB.TargetID] = false;
-           ErrorCode =
-             copy_to_user(UserCommand.DCDB, &DCDB, sizeof(DAC960_V1_DCDB_T));
-           if (ErrorCode != 0) goto Failure1;
+           if (copy_to_user(UserCommand.DCDB, &DCDB,
+                            sizeof(DAC960_V1_DCDB_T))) {
+               ErrorCode = -EFAULT;
+               goto Failure1;
+           }
          }
        ErrorCode = CommandStatus;
       Failure1:
@@ -5600,9 +5610,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
        unsigned char *DataTransferBuffer = NULL;
        unsigned char *RequestSenseBuffer = NULL;
        if (UserSpaceUserCommand == NULL) return -EINVAL;
-       ErrorCode = copy_from_user(&UserCommand, UserSpaceUserCommand,
-                                  sizeof(DAC960_V2_UserCommand_T));
-       if (ErrorCode != 0) goto Failure2;
+       if (copy_from_user(&UserCommand, UserSpaceUserCommand,
+                          sizeof(DAC960_V2_UserCommand_T))) {
+               ErrorCode = -EFAULT;
+               goto Failure2;
+       }
        ControllerNumber = UserCommand.ControllerNumber;
        if (ControllerNumber < 0 ||
            ControllerNumber > DAC960_ControllerCount - 1)
@@ -5621,10 +5633,12 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
          {
            DataTransferBuffer = kmalloc(-DataTransferLength, GFP_KERNEL);
            if (DataTransferBuffer == NULL) return -ENOMEM;
-           ErrorCode = copy_from_user(DataTransferBuffer,
-                                      UserCommand.DataTransferBuffer,
-                                      -DataTransferLength);
-           if (ErrorCode != 0) goto Failure2;
+           if (copy_from_user(DataTransferBuffer,
+                              UserCommand.DataTransferBuffer,
+                              -DataTransferLength)) {
+               ErrorCode = -EFAULT;
+               goto Failure2;
+           }
          }
        RequestSenseLength = UserCommand.RequestSenseLength;
        if (RequestSenseLength > 0)
@@ -5694,25 +5708,32 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
        DAC960_ReleaseControllerLock(Controller, &ProcessorFlags);
        if (RequestSenseLength > UserCommand.RequestSenseLength)
          RequestSenseLength = UserCommand.RequestSenseLength;
-       ErrorCode = copy_to_user(&UserSpaceUserCommand->DataTransferLength,
+       if (copy_to_user(&UserSpaceUserCommand->DataTransferLength,
                                 &DataTransferResidue,
-                                sizeof(DataTransferResidue));
-       if (ErrorCode != 0) goto Failure2;
-       ErrorCode = copy_to_user(&UserSpaceUserCommand->RequestSenseLength,
-                                &RequestSenseLength,
-                                sizeof(RequestSenseLength));
-       if (ErrorCode != 0) goto Failure2;
+                                sizeof(DataTransferResidue))) {
+               ErrorCode = -EFAULT;
+               goto Failure2;
+       }
+       if (copy_to_user(&UserSpaceUserCommand->RequestSenseLength,
+                        &RequestSenseLength, sizeof(RequestSenseLength))) {
+               ErrorCode = -EFAULT;
+               goto Failure2;
+       }
        if (DataTransferLength > 0)
          {
-           ErrorCode = copy_to_user(UserCommand.DataTransferBuffer,
-                                    DataTransferBuffer, DataTransferLength);
-           if (ErrorCode != 0) goto Failure2;
+           if (copy_to_user(UserCommand.DataTransferBuffer,
+                            DataTransferBuffer, DataTransferLength)) {
+               ErrorCode = -EFAULT;
+               goto Failure2;
+           }
          }
        if (RequestSenseLength > 0)
          {
-           ErrorCode = copy_to_user(UserCommand.RequestSenseBuffer,
-                                    RequestSenseBuffer, RequestSenseLength);
-           if (ErrorCode != 0) goto Failure2;
+           if (copy_to_user(UserCommand.RequestSenseBuffer,
+                            RequestSenseBuffer, RequestSenseLength)) {
+               ErrorCode = -EFAULT;
+               goto Failure2;
+           }
          }
        ErrorCode = CommandStatus;
       Failure2:
@@ -5731,9 +5752,9 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
        DAC960_Controller_T *Controller;
        int ControllerNumber;
        if (UserSpaceGetHealthStatus == NULL) return -EINVAL;
-       ErrorCode = copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus,
-                                  sizeof(DAC960_V2_GetHealthStatus_T));
-       if (ErrorCode != 0) return ErrorCode;
+       if (copy_from_user(&GetHealthStatus, UserSpaceGetHealthStatus,
+                          sizeof(DAC960_V2_GetHealthStatus_T)))
+               return -EFAULT;
        ControllerNumber = GetHealthStatus.ControllerNumber;
        if (ControllerNumber < 0 ||
            ControllerNumber > DAC960_ControllerCount - 1)
@@ -5741,10 +5762,10 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
        Controller = DAC960_Controllers[ControllerNumber];
        if (Controller == NULL) return -ENXIO;
        if (Controller->FirmwareType != DAC960_V2_Controller) return -EINVAL;
-       ErrorCode = copy_from_user(&HealthStatusBuffer,
-                                  GetHealthStatus.HealthStatusBuffer,
-                                  sizeof(DAC960_V2_HealthStatusBuffer_T));
-       if (ErrorCode != 0) return ErrorCode;
+       if (copy_from_user(&HealthStatusBuffer,
+                          GetHealthStatus.HealthStatusBuffer,
+                          sizeof(DAC960_V2_HealthStatusBuffer_T)))
+               return -EFAULT;
        while (Controller->V2.HealthStatusBuffer->StatusChangeCounter
               == HealthStatusBuffer.StatusChangeCounter &&
               Controller->V2.HealthStatusBuffer->NextEventSequenceNumber
@@ -5754,10 +5775,11 @@ static int DAC960_UserIOCTL(Inode_T *Inode, File_T *File,
                                           DAC960_MonitoringTimerInterval);
            if (signal_pending(current)) return -EINTR;
          }
-       ErrorCode = copy_to_user(GetHealthStatus.HealthStatusBuffer,
-                                Controller->V2.HealthStatusBuffer,
-                                sizeof(DAC960_V2_HealthStatusBuffer_T));
-       return ErrorCode;
+       if (copy_to_user(GetHealthStatus.HealthStatusBuffer,
+                        Controller->V2.HealthStatusBuffer,
+                        sizeof(DAC960_V2_HealthStatusBuffer_T)))
+               return -EFAULT;
+       return 0;
       }
     }
   return -EINVAL;

diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
index 314ade57968d57c048c2485b6d289a73d8ae45a7..027bdaaf31890ecdf3be023bc52f96bff216cb22 100644 (file)
--- a/drivers/block/cpqarray.c
+++ b/drivers/block/cpqarray.c
@@ -1117,17 +1117,19 @@ static int ida_ioctl(struct inode *inode, struct file *filep, unsigned int cmd,
                put_user(get_start_sect(inode->i_rdev), &geo->start);
                return 0;
        case IDAGETDRVINFO:
-               return copy_to_user(&io->c.drv,&hba[ctlr]->drv[dsk],sizeof(drv_info_t));
+               if (copy_to_user(&io->c.drv, &hba[ctlr]->drv[dsk],
+                                sizeof(drv_info_t)))
+                       return -EFAULT;
+               return 0;
        case BLKRRPART:
                return revalidate_logvol(inode->i_rdev, 1);
        case IDAPASSTHRU:
                if (!capable(CAP_SYS_RAWIO)) return -EPERM;
-               error = copy_from_user(&my_io, io, sizeof(my_io));
-               if (error) return error;
+               if (copy_from_user(&my_io, io, sizeof(my_io)))
+                       return -EFAULT;
                error = ida_ctlr_ioctl(ctlr, dsk, &my_io);
                if (error) return error;
-               error = copy_to_user(io, &my_io, sizeof(my_io));
-               return error;
+               return copy_to_user(io, &my_io, sizeof(my_io)) ? -EFAULT : 0;
        case IDAGETCTLRSIG:
                if (!arg) return -EINVAL;
                put_user(hba[ctlr]->ctlr_sig, (int*)arg);
@@ -1208,7 +1210,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
                        cmd_free(h, c, 0); 
                        return(error);
                }
-               copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size);
+               if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) {
+                       kfree(p);
+                       cmd_free(h, c, 0); 
+                       return -EFAULT;
+               }
                c->req.hdr.blk = pci_map_single(h->pci_dev, &(io->c), 
                                sizeof(ida_ioctl_t), 
                                PCI_DMA_BIDIRECTIONAL);
@@ -1245,7 +1251,11 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
                         cmd_free(h, c, 0);
                         return(error);
                 }
-               copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size);
+               if (copy_from_user(p, (void*)io->sg[0].addr, io->sg[0].size)) {
+                       kfree(p);
+                        cmd_free(h, c, 0);
+                       return -EFAULT;
+               }
                c->req.sg[0].size = io->sg[0].size;
                c->req.sg[0].addr = pci_map_single(h->pci_dev, p, 
                        c->req.sg[0].size, PCI_DMA_BIDIRECTIONAL); 
@@ -1282,7 +1292,10 @@ static int ida_ctlr_ioctl(int ctlr, int dsk, ida_ioctl_t *io)
        case DIAG_PASS_THRU:
        case SENSE_CONTROLLER_PERFORMANCE:
        case READ_FLASH_ROM:
-               copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size);
+               if (copy_to_user((void*)io->sg[0].addr, p, io->sg[0].size)) {
+                       kfree(p);
+                       return -EFAULT;
+               }
                /* fall through and free p */
        case IDA_WRITE:
        case IDA_WRITE_MEDIA:

diff --git a/drivers/block/paride/pg.c b/drivers/block/paride/pg.c
index 8592e40392d5f85184f16ecd04bd9952b53ae018..1f05ab38cc84863e5f6963e715170e1e0c26851f 100644 (file)
--- a/drivers/block/paride/pg.c
+++ b/drivers/block/paride/pg.c
@@ -623,7 +623,8 @@ static ssize_t pg_write(struct file * filp, const char * buf,
        if (PG.busy) return -EBUSY;
        if (count < hs) return -EINVAL;
        
-       copy_from_user((char *)&hdr,buf,hs);
+       if (copy_from_user((char *)&hdr, buf, hs))
+               return -EFAULT;
 
        if (hdr.magic != PG_MAGIC) return -EINVAL;
        if (hdr.dlen > PG_MAX_DATA) return -EINVAL;
@@ -647,8 +648,8 @@ static ssize_t pg_write(struct file * filp, const char * buf,
 
        PG.busy = 1;
 
-       copy_from_user(PG.bufptr,buf+hs,count-hs);
-
+       if (copy_from_user(PG.bufptr, buf + hs, count - hs))
+               return -EFAULT;
        return count;
 }
 
@@ -682,9 +683,11 @@ static ssize_t pg_read(struct file * filp, char * buf,
        hdr.duration = (jiffies - PG.start + HZ/2) / HZ;
        hdr.scsi = PG.status & 0x0f;
 
-       copy_to_user(buf,(char *)&hdr,hs);
-       if (copy > 0) copy_to_user(buf+hs,PG.bufptr,copy);
-       
+       if (copy_to_user(buf, (char *)&hdr, hs))
+               return -EFAULT;
+       if (copy > 0)
+               if (copy_to_user(buf+hs,PG.bufptr,copy))
+                       return -EFAULT;
        return copy+hs;
 }
 

diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c
index fab199e16a253e78b050d977f6d43cc80c3fcef9..ccf3db7b1463cf89462bfc548d7b3b6de6991e5a 100644 (file)
--- a/drivers/block/paride/pt.c
+++ b/drivers/block/paride/pt.c
@@ -860,7 +860,10 @@ static ssize_t pt_read(struct file * filp, char * buf,
                    n -= k;
                    b = k;
                    if (b > count) b = count;
-                   copy_to_user(buf+t,PT.bufptr,b);
+                   if (copy_to_user(buf + t, PT.bufptr, b)) {
+                       pi_disconnect(PI);
+                       return -EFAULT;
+                   }
                    t += b;
                    count -= b;
                }
@@ -944,7 +947,10 @@ static ssize_t pt_write(struct file * filp, const char * buf,
                    if (k > PT_BUFSIZE) k = PT_BUFSIZE;
                    b = k;
                    if (b > count) b = count;
-                   copy_from_user(PT.bufptr,buf+t,b);
+                   if (copy_from_user(PT.bufptr, buf + t, b)) {
+                       pi_disconnect(PI);
+                       return -EFAULT;
+                   }
                     pi_write_block(PI,PT.bufptr,k);
                    t += b;
                    count -= b;

diff --git a/drivers/block/rd.c b/drivers/block/rd.c
index d5af5c1d319672b3f4ae1715cda1f29df3ece04a..e2b22a17629b34ad8702ddee1fc512f4c30c53df 100644 (file)
--- a/drivers/block/rd.c
+++ b/drivers/block/rd.c
@@ -318,7 +318,8 @@ static ssize_t initrd_read(struct file *file, char *buf,
        left = initrd_end - initrd_start - *ppos;
        if (count > left) count = left;
        if (count == 0) return 0;
-       copy_to_user(buf, (char *)initrd_start + *ppos, count);
+       if (copy_to_user(buf, (char *)initrd_start + *ppos, count))
+               return -EFAULT;
        *ppos += count;
        return count;
 }

diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c
index 5b223f90dcd9231553fbd3f98231e695e55b1f41..d83408ba14fb8de018a7a45add12f0af142b49a6 100644 (file)
--- a/drivers/block/swim3.c
+++ b/drivers/block/swim3.c
@@ -840,9 +840,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp,
                err = fd_eject(fs);
                return err;
        case FDGETPRM:
-               err = copy_to_user((void *) param, (void *) &floppy_type,
-                                  sizeof(struct floppy_struct));
-               return err;
+               if (copy_to_user((void *) param, (void *)&floppy_type,
+                                sizeof(struct floppy_struct)))
+                       return -EFAULT;
+               return 0;
        }
        return -ENOTTY;
 }

diff --git a/drivers/block/swim_iop.c b/drivers/block/swim_iop.c
index cf99a007494870810c3494d8af06514c06fc50b1..d57ff9d3bbfba425f3156ad9cc8c132db547ed19 100644 (file)
--- a/drivers/block/swim_iop.c
+++ b/drivers/block/swim_iop.c
@@ -360,9 +360,10 @@ static int floppy_ioctl(struct inode *inode, struct file *filp,
                err = swimiop_eject(fs);
                return err;
        case FDGETPRM:
-               err = copy_to_user((void *) param, (void *) &floppy_type,
-                                  sizeof(struct floppy_struct));
-               return err;
+               if (copy_to_user((void *) param, (void *) &floppy_type,
+                                sizeof(struct floppy_struct)))
+                       return -EFAULT;
+               return 0;
        }
        return -ENOTTY;
 }