Rename 'chanlist_saver' to 'user_chanlist' to avoid confusion that
it's actually a __user *.
The chanlist pointer in comedi_cmd is still a user space pointer when
the comedi_cmd is copied with copy_from_user() in do_cmd_ioctl() and
do_cmdtest_ioctl(). This pointer needs to be cast when it is saved in
user_chanlist in order to preserve its address space.
The copy_from_user() call to copy the chanlist to the kernel space
comedi_command requires the second parameter to be a __user pointer.
Use the correctly cast user_chanlist instead of cmd->chanlist.
Before the comedi_cmd is copied back to user space, the saved
user_chanlist pointer is restored. Cast the user_chanlist again so
that the address space matches the comedi_cmd.
Signed-off-by: H Hartley Sweeten <hsweeten@xxxxxxxxxxxxxxxxxxx>
Cc: Ian Abbott <abbotti@xxxxxxxxx>
Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/staging/comedi/comedi_fops.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index df627c8..626fa72 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1137,14 +1137,14 @@ static int do_cmd_ioctl(struct comedi_device *dev,
struct comedi_subdevice *s;
struct comedi_async *async;
int ret = 0;
- unsigned int __user *chanlist_saver = NULL;
+ unsigned int __user *user_chanlist;
if (copy_from_user(&cmd, arg, sizeof(struct comedi_cmd))) {
DPRINTK("bad cmd address\n");
return -EFAULT;
}
/* save user's chanlist pointer so it can be restored later */
- chanlist_saver = cmd.chanlist;
+ user_chanlist = (unsigned int __user *)cmd.chanlist;
if (cmd.subdev >= dev->n_subdevices) {
DPRINTK("%d no such subdevice\n", cmd.subdev);
@@ -1206,7 +1206,7 @@ static int do_cmd_ioctl(struct comedi_device *dev,
goto cleanup;
}
- if (copy_from_user(async->cmd.chanlist, cmd.chanlist,
+ if (copy_from_user(async->cmd.chanlist, user_chanlist,
async->cmd.chanlist_len * sizeof(int))) {
DPRINTK("fault reading chanlist\n");
ret = -EFAULT;
@@ -1228,7 +1228,7 @@ static int do_cmd_ioctl(struct comedi_device *dev,
DPRINTK("test returned %d\n", ret);
cmd = async->cmd;
/* restore chanlist pointer before copying back */
- cmd.chanlist = chanlist_saver;
+ cmd.chanlist = (unsigned int __force *)user_chanlist;
cmd.data = NULL;
if (copy_to_user(arg, &cmd, sizeof(struct comedi_cmd))) {
DPRINTK("fault writing cmd\n");
@@ -1287,14 +1287,14 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
struct comedi_subdevice *s;
int ret = 0;
unsigned int *chanlist = NULL;
- unsigned int __user *chanlist_saver = NULL;
+ unsigned int __user *user_chanlist;
if (copy_from_user(&cmd, arg, sizeof(struct comedi_cmd))) {
DPRINTK("bad cmd address\n");
return -EFAULT;
}
/* save user's chanlist pointer so it can be restored later */
- chanlist_saver = cmd.chanlist;
+ user_chanlist = (unsigned int __user *)cmd.chanlist;
if (cmd.subdev >= dev->n_subdevices) {
DPRINTK("%d no such subdevice\n", cmd.subdev);
@@ -1331,7 +1331,7 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
goto cleanup;
}
- if (copy_from_user(chanlist, cmd.chanlist,
+ if (copy_from_user(chanlist, user_chanlist,
cmd.chanlist_len * sizeof(int))) {
DPRINTK("fault reading chanlist\n");
ret = -EFAULT;
@@ -1351,7 +1351,7 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
ret = s->do_cmdtest(dev, s, &cmd);
/* restore chanlist pointer before copying back */
- cmd.chanlist = chanlist_saver;
+ cmd.chanlist = (unsigned int __force *)user_chanlist;
if (copy_to_user(arg, &cmd, sizeof(struct comedi_cmd))) {
DPRINTK("bad cmd address\n");
--
1.7.11
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
