* [PATCH] spi: spidev: Fix user-space memory access.
@ 2014-06-19 21:52 ` dsneddon
0 siblings, 0 replies; 3+ messages in thread
From: dsneddon-sgV2jX0FEOL9JmXXK+q4OQ @ 2014-06-19 21:52 UTC (permalink / raw)
To: linux-spi-u79uwXL29TY76Z2rM5mHXA
Cc: broonie-DgEjT+Ai2ygdnm+yROfE0A,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-arm-msm-u79uwXL29TY76Z2rM5mHXA
When the spidev module tries to access the user space memory passed in via
an IOCTL the compat_ptr function should be called to ensure
compatibility between kernel space and user space.
Signed-off-by: Dan Sneddon <dsneddon-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
---
drivers/spi/spidev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index e3bc23b..3a45158 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data *spidev,
if (u_tmp->rx_buf) {
k_tmp->rx_buf = buf;
if (!access_ok(VERIFY_WRITE, (u8 __user *)
- (uintptr_t) u_tmp->rx_buf,
+ (uintptr_t)compat_ptr( +
u_tmp->rx_buf),
u_tmp->len))
goto done;
}
if (u_tmp->tx_buf) {
k_tmp->tx_buf = buf;
if (copy_from_user(buf, (const u8 __user *)
- (uintptr_t) u_tmp->tx_buf,
+ (uintptr_t)compat_ptr( +
u_tmp->tx_buf),
u_tmp->len))
goto done;
}
@@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev,
for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
if (u_tmp->rx_buf) {
if (__copy_to_user((u8 __user *)
- (uintptr_t) u_tmp->rx_buf, buf, -
u_tmp->len)) {
+
(uintptr_t)compat_ptr(u_tmp->rx_buf),
+ buf, u_tmp->len)) {
status = -EFAULT;
goto done;
}
--
1.8.4
---
sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation
--
To unsubscribe from this list: send the line "unsubscribe linux-spi" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH] spi: spidev: Fix user-space memory access.
@ 2014-06-19 21:52 ` dsneddon
0 siblings, 0 replies; 3+ messages in thread
From: dsneddon @ 2014-06-19 21:52 UTC (permalink / raw)
To: linux-spi; +Cc: broonie, linux-kernel, linux-arm-msm
When the spidev module tries to access the user space memory passed in via
an IOCTL the compat_ptr function should be called to ensure
compatibility between kernel space and user space.
Signed-off-by: Dan Sneddon <dsneddon@codeaurora.org>
---
drivers/spi/spidev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index e3bc23b..3a45158 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data *spidev,
if (u_tmp->rx_buf) {
k_tmp->rx_buf = buf;
if (!access_ok(VERIFY_WRITE, (u8 __user *)
- (uintptr_t) u_tmp->rx_buf,
+ (uintptr_t)compat_ptr( +
u_tmp->rx_buf),
u_tmp->len))
goto done;
}
if (u_tmp->tx_buf) {
k_tmp->tx_buf = buf;
if (copy_from_user(buf, (const u8 __user *)
- (uintptr_t) u_tmp->tx_buf,
+ (uintptr_t)compat_ptr( +
u_tmp->tx_buf),
u_tmp->len))
goto done;
}
@@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev,
for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
if (u_tmp->rx_buf) {
if (__copy_to_user((u8 __user *)
- (uintptr_t) u_tmp->rx_buf, buf, -
u_tmp->len)) {
+
(uintptr_t)compat_ptr(u_tmp->rx_buf),
+ buf, u_tmp->len)) {
status = -EFAULT;
goto done;
}
--
1.8.4
---
sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] spi: spidev: Fix user-space memory access.
2014-06-19 21:52 ` dsneddon
(?)
@ 2014-06-20 20:40 ` dsneddon
-1 siblings, 0 replies; 3+ messages in thread
From: dsneddon @ 2014-06-20 20:40 UTC (permalink / raw)
To: linux-spi; +Cc: broonie, linux-kernel, linux-arm-msm
I just noticed this patch breaks when CONFIG_COMPAT isn't defined. Please
ignore this patch for now.
> When the spidev module tries to access the user space memory passed in via
> an IOCTL the compat_ptr function should be called to ensure
> compatibility between kernel space and user space.
>
> Signed-off-by: Dan Sneddon <dsneddon@codeaurora.org>
> ---
> drivers/spi/spidev.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
> index e3bc23b..3a45158 100644
> --- a/drivers/spi/spidev.c
> +++ b/drivers/spi/spidev.c
> @@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data
> *spidev,
> if (u_tmp->rx_buf) {
> k_tmp->rx_buf = buf;
> if (!access_ok(VERIFY_WRITE, (u8 __user *)
> - (uintptr_t) u_tmp->rx_buf,
> + (uintptr_t)compat_ptr( +
> u_tmp->rx_buf),
> u_tmp->len))
> goto done;
> }
> if (u_tmp->tx_buf) {
> k_tmp->tx_buf = buf;
> if (copy_from_user(buf, (const u8 __user *)
> - (uintptr_t) u_tmp->tx_buf,
> + (uintptr_t)compat_ptr( +
> u_tmp->tx_buf),
> u_tmp->len))
> goto done;
> }
> @@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev,
> for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
> if (u_tmp->rx_buf) {
> if (__copy_to_user((u8 __user *)
> - (uintptr_t) u_tmp->rx_buf, buf, -
> u_tmp->len)) {
> +
> (uintptr_t)compat_ptr(u_tmp->rx_buf),
> + buf, u_tmp->len)) {
> status = -EFAULT;
> goto done;
> }
> --
> 1.8.4
>
>
>
>
>
>
> ---
> sent by an employee of the Qualcomm Innovation Center, Inc.
> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
> hosted by The Linux Foundation
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-arm-msm"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
---
sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-06-20 20:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-19 21:52 [PATCH] spi: spidev: Fix user-space memory access dsneddon-sgV2jX0FEOL9JmXXK+q4OQ
2014-06-19 21:52 ` dsneddon
2014-06-20 20:40 ` dsneddon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.