On Fri, 2006-06-09 at 08:00 -0400, Salyzyn, Mark wrote: > Are you sure of this? The code that follows expects the end of the > structure to be cleared. Could you clarify? It looks like copy_in_user copies one u32 less than the structure size and leaves that last word uninitialized? The last element of fib_ioctl (fib) is a char pointer though. I can't see where f.fib is initialized in next_adapter_fib even though copy_to_user is called. Even if clear_user is called, doesn't that mean that f.fib in next_adapter_fib will be only partially NULL, Mark. > > Sincerely -- Mark Salyzyn > > > -----Original Message----- > > From: Christoph Hellwig [mailto:hch@xxxxxxxxxxxxx] > > Sent: Thursday, June 08, 2006 4:11 PM > > To: Mark Haverkamp > > Cc: James Bottomley; linux-scsi; Salyzyn, Mark > > Subject: Re: [PATCH 1/3] aacraid: Fix return code interpretation > > > > > > > @@ -564,7 +564,7 @@ > > > > > > f = compat_alloc_user_space(sizeof(*f)); > > > ret = 0; > > > - if (clear_user(f, sizeof(*f)) != sizeof(*f)) > > > + if (clear_user(f, sizeof(*f))) > > > ret = -EFAULT; > > > if (copy_in_user(f, (void __user *)arg, > > sizeof(struct fib_ioctl) - sizeof(u32))) > > > ret = -EFAULT; > > > > > > > just remove the clear_user call completely, it's not needed. > > > > > -- Mark Haverkamp <markh@xxxxxxxx> - : send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
