From patchwork Thu Jun 10 14:00:00 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Steven A. Falco" X-Patchwork-Id: 55225 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from bilbo.ozlabs.org (localhost [127.0.0.1]) by ozlabs.org (Postfix) with ESMTP id 6AD65100A32 for ; Fri, 11 Jun 2010 00:17:19 +1000 (EST) Received: by ozlabs.org (Postfix) id 935F81007D3; Fri, 11 Jun 2010 00:17:13 +1000 (EST) Delivered-To: linuxppc-dev@ozlabs.org X-Greylist: delayed 1024 seconds by postgrey-1.32 at bilbo; Fri, 11 Jun 2010 00:17:13 EST Received: from mlbe2k1.cs.myharris.net (mlbe2k1.cs.myharris.net [137.237.90.88]) by ozlabs.org (Postfix) with ESMTP id 13DBE1007D2 for ; Fri, 11 Jun 2010 00:17:12 +1000 (EST) Received: from mail pickup service by mlbe2k1.cs.myharris.net with Microsoft SMTPSVC; Thu, 10 Jun 2010 10:00:03 -0400 Received: from saf.cs.myharris.net ([137.237.94.251]) by mlbe2k1.cs.myharris.net with Microsoft SMTPSVC(6.0.3790.3959); Thu, 10 Jun 2010 10:00:01 -0400 Message-ID: <4C10EFE0.6030106@harris.com> Date: Thu, 10 Jun 2010 10:00:00 -0400 From: "Steven A. Falco" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: "linuxppc-dev@ozlabs.org" Subject: [PATCH][RFC] ibm_newemac and SIOCGMIIREG X-OriginalArrivalTime: 10 Jun 2010 14:00:01.0340 (UTC) FILETIME=[381027C0:01CB08A5] X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org SIOCGMIIREG and SIOCSMIIREG access a user data structure via a void pointer to user space. So, we need copy_from_user and copy_to_user to move the data. Signed-off-by: Steven A. Falco --- I believe there is a bug in the way the ibm_newemac driver handles the SIOCGMIIREG (and SIOCSMIIREG) ioctl. The problem is that emac_ioctl is handed a "struct ifreq *rq" which contains a user-land pointer to an array of 16-bit integers. However, emac_ioctl directly accesses the data, which doesn't work. I added the following patch to copy the data in and out. Please note that this patch was tested in an older kernel (2.6.30) because that is what we are using on our custom hardware. I think this is still a problem in the current code, but I'd like reviewers to take a look, to be sure. --- drivers/net/ibm_newemac/core.c 2010-06-09 19:57:26.000000000 -0400 +++ /home/sfalco/core.c 2010-06-10 09:38:22.000000000 -0400 @@ -2218,6 +2218,7 @@ { struct emac_instance *dev = netdev_priv(ndev); struct mii_ioctl_data *data = if_mii(rq); + struct mii_ioctl_data user_data; DBG(dev, "ioctl %08x" NL, cmd); @@ -2229,13 +2230,19 @@ data->phy_id = dev->phy.address; /* Fall through */ case SIOCGMIIREG: - data->val_out = emac_mdio_read(ndev, dev->phy.address, - data->reg_num); + if (copy_from_user(user_data, (char __user *)data, sizeof(user_data))) + return -EFAULT; + user_data->val_out = emac_mdio_read(ndev, dev->phy.address, + user_data->reg_num); + if (copy_to_user((char __user *)rq->ifr_data, user_data, sizeof(user_data))) + return -EFAULT; return 0; case SIOCSMIIREG: - emac_mdio_write(ndev, dev->phy.address, data->reg_num, - data->val_in); + if (copy_from_user(user_data, (char __user *)data, sizeof(user_data))) + return -EFAULT; + emac_mdio_write(ndev, dev->phy.address, user_data->reg_num, + user_data->val_in); return 0; default: return -EOPNOTSUPP;