* [PATCH] spi: spidev: Fix user-space memory access.
@ 2014-06-19 21:52 dsneddon
2014-06-20 20:40 ` dsneddon
0 siblings, 1 reply; 2+ messages in thread
From: dsneddon @ 2014-06-19 21:52 UTC (permalink / raw)
To: linux-spi; +Cc: broonie, linux-kernel, linux-arm-msm
When the spidev module tries to access the user space memory passed in via
an IOCTL the compat_ptr function should be called to ensure
compatibility between kernel space and user space.
Signed-off-by: Dan Sneddon <dsneddon@codeaurora.org>
---
drivers/spi/spidev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index e3bc23b..3a45158 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data *spidev,
if (u_tmp->rx_buf) {
k_tmp->rx_buf = buf;
if (!access_ok(VERIFY_WRITE, (u8 __user *)
- (uintptr_t) u_tmp->rx_buf,
+ (uintptr_t)compat_ptr( +
u_tmp->rx_buf),
u_tmp->len))
goto done;
}
if (u_tmp->tx_buf) {
k_tmp->tx_buf = buf;
if (copy_from_user(buf, (const u8 __user *)
- (uintptr_t) u_tmp->tx_buf,
+ (uintptr_t)compat_ptr( +
u_tmp->tx_buf),
u_tmp->len))
goto done;
}
@@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev,
for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
if (u_tmp->rx_buf) {
if (__copy_to_user((u8 __user *)
- (uintptr_t) u_tmp->rx_buf, buf, -
u_tmp->len)) {
+
(uintptr_t)compat_ptr(u_tmp->rx_buf),
+ buf, u_tmp->len)) {
status = -EFAULT;
goto done;
}
--
1.8.4
---
sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] spi: spidev: Fix user-space memory access.
2014-06-19 21:52 [PATCH] spi: spidev: Fix user-space memory access dsneddon
@ 2014-06-20 20:40 ` dsneddon
0 siblings, 0 replies; 2+ messages in thread
From: dsneddon @ 2014-06-20 20:40 UTC (permalink / raw)
To: linux-spi; +Cc: broonie, linux-kernel, linux-arm-msm
I just noticed this patch breaks when CONFIG_COMPAT isn't defined. Please
ignore this patch for now.
> When the spidev module tries to access the user space memory passed in via
> an IOCTL the compat_ptr function should be called to ensure
> compatibility between kernel space and user space.
>
> Signed-off-by: Dan Sneddon <dsneddon@codeaurora.org>
> ---
> drivers/spi/spidev.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
> index e3bc23b..3a45158 100644
> --- a/drivers/spi/spidev.c
> +++ b/drivers/spi/spidev.c
> @@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data
> *spidev,
> if (u_tmp->rx_buf) {
> k_tmp->rx_buf = buf;
> if (!access_ok(VERIFY_WRITE, (u8 __user *)
> - (uintptr_t) u_tmp->rx_buf,
> + (uintptr_t)compat_ptr( +
> u_tmp->rx_buf),
> u_tmp->len))
> goto done;
> }
> if (u_tmp->tx_buf) {
> k_tmp->tx_buf = buf;
> if (copy_from_user(buf, (const u8 __user *)
> - (uintptr_t) u_tmp->tx_buf,
> + (uintptr_t)compat_ptr( +
> u_tmp->tx_buf),
> u_tmp->len))
> goto done;
> }
> @@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev,
> for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
> if (u_tmp->rx_buf) {
> if (__copy_to_user((u8 __user *)
> - (uintptr_t) u_tmp->rx_buf, buf, -
> u_tmp->len)) {
> +
> (uintptr_t)compat_ptr(u_tmp->rx_buf),
> + buf, u_tmp->len)) {
> status = -EFAULT;
> goto done;
> }
> --
> 1.8.4
>
>
>
>
>
>
> ---
> sent by an employee of the Qualcomm Innovation Center, Inc.
> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
> hosted by The Linux Foundation
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-arm-msm"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
---
sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-06-20 20:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-19 21:52 [PATCH] spi: spidev: Fix user-space memory access dsneddon
2014-06-20 20:40 ` dsneddon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).