From: "Steven A. Falco" <sfalco@harris.com>
To: "linuxppc-dev@ozlabs.org" <linuxppc-dev@ozlabs.org>
Subject: [PATCH][RFC] ibm_newemac and SIOCGMIIREG
Date: Thu, 10 Jun 2010 10:00:00 -0400 [thread overview]
Message-ID: <4C10EFE0.6030106@harris.com> (raw)
SIOCGMIIREG and SIOCSMIIREG access a user data structure via a void
pointer to user space. So, we need copy_from_user and copy_to_user
to move the data.
Signed-off-by: Steven A. Falco <sfalco@harris.com>
---
I believe there is a bug in the way the ibm_newemac driver handles the
SIOCGMIIREG (and SIOCSMIIREG) ioctl. The problem is that emac_ioctl
is handed a "struct ifreq *rq" which contains a user-land pointer to
an array of 16-bit integers.
However, emac_ioctl directly accesses the data, which doesn't work.
I added the following patch to copy the data in and out.
Please note that this patch was tested in an older kernel (2.6.30)
because that is what we are using on our custom hardware. I think
this is still a problem in the current code, but I'd like reviewers
to take a look, to be sure.
--- drivers/net/ibm_newemac/core.c 2010-06-09 19:57:26.000000000 -0400
+++ /home/sfalco/core.c 2010-06-10 09:38:22.000000000 -0400
@@ -2218,6 +2218,7 @@
{
struct emac_instance *dev = netdev_priv(ndev);
struct mii_ioctl_data *data = if_mii(rq);
+ struct mii_ioctl_data user_data;
DBG(dev, "ioctl %08x" NL, cmd);
@@ -2229,13 +2230,19 @@
data->phy_id = dev->phy.address;
/* Fall through */
case SIOCGMIIREG:
- data->val_out = emac_mdio_read(ndev, dev->phy.address,
- data->reg_num);
+ if (copy_from_user(user_data, (char __user *)data, sizeof(user_data)))
+ return -EFAULT;
+ user_data->val_out = emac_mdio_read(ndev, dev->phy.address,
+ user_data->reg_num);
+ if (copy_to_user((char __user *)rq->ifr_data, user_data, sizeof(user_data)))
+ return -EFAULT;
return 0;
case SIOCSMIIREG:
- emac_mdio_write(ndev, dev->phy.address, data->reg_num,
- data->val_in);
+ if (copy_from_user(user_data, (char __user *)data, sizeof(user_data)))
+ return -EFAULT;
+ emac_mdio_write(ndev, dev->phy.address, user_data->reg_num,
+ user_data->val_in);
return 0;
default:
return -EOPNOTSUPP;
next reply other threads:[~2010-06-10 14:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-10 14:00 Steven A. Falco [this message]
2010-06-10 14:31 ` [PATCH][RFC] ibm_newemac and SIOCGMIIREG Arnd Bergmann
2010-06-10 15:27 ` Steven A. Falco
2010-06-10 17:03 ` Arnd Bergmann
2010-06-10 19:47 ` Steven A. Falco
2010-06-10 20:35 ` Arnd Bergmann
2010-06-10 21:26 ` Steven A. Falco
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C10EFE0.6030106@harris.com \
--to=sfalco@harris.com \
--cc=linuxppc-dev@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).