diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-07-08 13:41:53 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-07-08 13:41:53 -0400 |
| commit | 090a81d8766e21d33ab3e4d24e6c8e5eedf086dd (patch) | |
| tree | 85d642078c1bee739f5a4c48581dbd38a5a3ef65 | |
| parent | 46ace66b3b34c80341c6290cd608aae4d2de9879 (diff) | |
| parent | 251d59515fe4681a64a8bc7e37cfa00701e0f9b0 (diff) | |
Merge branch 'for-spi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull spi uaccess delousing from Al Viro:
"Getting rid of pointless __get_user() and friends in drivers/spi.
[ the only reason it's on a separate branch is that I hoped it would
be picked by spi folks; looks like mail asking them to grab it got
lost and I hadn't followed up on that ]"
* 'for-spi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
spidev: quit messing with access_ok()
| -rw-r--r-- | drivers/spi/spidev.c | 42 |
1 files changed, 11 insertions, 31 deletions
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c index d4d2d8d9f3e7..cda10719d1d1 100644 --- a/drivers/spi/spidev.c +++ b/drivers/spi/spidev.c | |||
| @@ -253,10 +253,6 @@ static int spidev_message(struct spidev_data *spidev, | |||
| 253 | goto done; | 253 | goto done; |
| 254 | } | 254 | } |
| 255 | k_tmp->rx_buf = rx_buf; | 255 | k_tmp->rx_buf = rx_buf; |
| 256 | if (!access_ok(VERIFY_WRITE, (u8 __user *) | ||
| 257 | (uintptr_t) u_tmp->rx_buf, | ||
| 258 | u_tmp->len)) | ||
| 259 | goto done; | ||
| 260 | rx_buf += k_tmp->len; | 256 | rx_buf += k_tmp->len; |
| 261 | } | 257 | } |
| 262 | if (u_tmp->tx_buf) { | 258 | if (u_tmp->tx_buf) { |
| @@ -304,7 +300,7 @@ static int spidev_message(struct spidev_data *spidev, | |||
| 304 | rx_buf = spidev->rx_buffer; | 300 | rx_buf = spidev->rx_buffer; |
| 305 | for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) { | 301 | for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) { |
| 306 | if (u_tmp->rx_buf) { | 302 | if (u_tmp->rx_buf) { |
| 307 | if (__copy_to_user((u8 __user *) | 303 | if (copy_to_user((u8 __user *) |
| 308 | (uintptr_t) u_tmp->rx_buf, rx_buf, | 304 | (uintptr_t) u_tmp->rx_buf, rx_buf, |
| 309 | u_tmp->len)) { | 305 | u_tmp->len)) { |
| 310 | status = -EFAULT; | 306 | status = -EFAULT; |
| @@ -346,7 +342,6 @@ spidev_get_ioc_message(unsigned int cmd, struct spi_ioc_transfer __user *u_ioc, | |||
| 346 | static long | 342 | static long |
| 347 | spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) | 343 | spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) |
| 348 | { | 344 | { |
| 349 | int err = 0; | ||
| 350 | int retval = 0; | 345 | int retval = 0; |
| 351 | struct spidev_data *spidev; | 346 | struct spidev_data *spidev; |
| 352 | struct spi_device *spi; | 347 | struct spi_device *spi; |
| @@ -358,19 +353,6 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) | |||
| 358 | if (_IOC_TYPE(cmd) != SPI_IOC_MAGIC) | 353 | if (_IOC_TYPE(cmd) != SPI_IOC_MAGIC) |
| 359 | return -ENOTTY; | 354 | return -ENOTTY; |
| 360 | 355 | ||
| 361 | /* Check access direction once here; don't repeat below. | ||
| 362 | * IOC_DIR is from the user perspective, while access_ok is | ||
| 363 | * from the kernel perspective; so they look reversed. | ||
| 364 | */ | ||
| 365 | if (_IOC_DIR(cmd) & _IOC_READ) | ||
| 366 | err = !access_ok(VERIFY_WRITE, | ||
| 367 | (void __user *)arg, _IOC_SIZE(cmd)); | ||
| 368 | if (err == 0 && _IOC_DIR(cmd) & _IOC_WRITE) | ||
| 369 | err = !access_ok(VERIFY_READ, | ||
| 370 | (void __user *)arg, _IOC_SIZE(cmd)); | ||
| 371 | if (err) | ||
| 372 | return -EFAULT; | ||
| 373 | |||
| 374 | /* guard against device removal before, or while, | 356 | /* guard against device removal before, or while, |
| 375 | * we issue this ioctl. | 357 | * we issue this ioctl. |
| 376 | */ | 358 | */ |
| @@ -393,31 +375,31 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) | |||
| 393 | switch (cmd) { | 375 | switch (cmd) { |
| 394 | /* read requests */ | 376 | /* read requests */ |
| 395 | case SPI_IOC_RD_MODE: | 377 | case SPI_IOC_RD_MODE: |
| 396 | retval = __put_user(spi->mode & SPI_MODE_MASK, | 378 | retval = put_user(spi->mode & SPI_MODE_MASK, |
| 397 | (__u8 __user *)arg); | 379 | (__u8 __user *)arg); |
| 398 | break; | 380 | break; |
| 399 | case SPI_IOC_RD_MODE32: | 381 | case SPI_IOC_RD_MODE32: |
| 400 | retval = __put_user(spi->mode & SPI_MODE_MASK, | 382 | retval = put_user(spi->mode & SPI_MODE_MASK, |
| 401 | (__u32 __user *)arg); | 383 | (__u32 __user *)arg); |
| 402 | break; | 384 | break; |
| 403 | case SPI_IOC_RD_LSB_FIRST: | 385 | case SPI_IOC_RD_LSB_FIRST: |
| 404 | retval = __put_user((spi->mode & SPI_LSB_FIRST) ? 1 : 0, | 386 | retval = put_user((spi->mode & SPI_LSB_FIRST) ? 1 : 0, |
| 405 | (__u8 __user *)arg); | 387 | (__u8 __user *)arg); |
| 406 | break; | 388 | break; |
| 407 | case SPI_IOC_RD_BITS_PER_WORD: | 389 | case SPI_IOC_RD_BITS_PER_WORD: |
| 408 | retval = __put_user(spi->bits_per_word, (__u8 __user *)arg); | 390 | retval = put_user(spi->bits_per_word, (__u8 __user *)arg); |
| 409 | break; | 391 | break; |
| 410 | case SPI_IOC_RD_MAX_SPEED_HZ: | 392 | case SPI_IOC_RD_MAX_SPEED_HZ: |
| 411 | retval = __put_user(spidev->speed_hz, (__u32 __user *)arg); | 393 | retval = put_user(spidev->speed_hz, (__u32 __user *)arg); |
| 412 | break; | 394 | break; |
| 413 | 395 | ||
| 414 | /* write requests */ | 396 | /* write requests */ |
| 415 | case SPI_IOC_WR_MODE: | 397 | case SPI_IOC_WR_MODE: |
| 416 | case SPI_IOC_WR_MODE32: | 398 | case SPI_IOC_WR_MODE32: |
| 417 | if (cmd == SPI_IOC_WR_MODE) | 399 | if (cmd == SPI_IOC_WR_MODE) |
| 418 | retval = __get_user(tmp, (u8 __user *)arg); | 400 | retval = get_user(tmp, (u8 __user *)arg); |
| 419 | else | 401 | else |
| 420 | retval = __get_user(tmp, (u32 __user *)arg); | 402 | retval = get_user(tmp, (u32 __user *)arg); |
| 421 | if (retval == 0) { | 403 | if (retval == 0) { |
| 422 | u32 save = spi->mode; | 404 | u32 save = spi->mode; |
| 423 | 405 | ||
| @@ -436,7 +418,7 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) | |||
| 436 | } | 418 | } |
| 437 | break; | 419 | break; |
| 438 | case SPI_IOC_WR_LSB_FIRST: | 420 | case SPI_IOC_WR_LSB_FIRST: |
| 439 | retval = __get_user(tmp, (__u8 __user *)arg); | 421 | retval = get_user(tmp, (__u8 __user *)arg); |
| 440 | if (retval == 0) { | 422 | if (retval == 0) { |
| 441 | u32 save = spi->mode; | 423 | u32 save = spi->mode; |
| 442 | 424 | ||
| @@ -453,7 +435,7 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) | |||
| 453 | } | 435 | } |
| 454 | break; | 436 | break; |
| 455 | case SPI_IOC_WR_BITS_PER_WORD: | 437 | case SPI_IOC_WR_BITS_PER_WORD: |
| 456 | retval = __get_user(tmp, (__u8 __user *)arg); | 438 | retval = get_user(tmp, (__u8 __user *)arg); |
| 457 | if (retval == 0) { | 439 | if (retval == 0) { |
| 458 | u8 save = spi->bits_per_word; | 440 | u8 save = spi->bits_per_word; |
| 459 | 441 | ||
| @@ -466,7 +448,7 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) | |||
| 466 | } | 448 | } |
| 467 | break; | 449 | break; |
| 468 | case SPI_IOC_WR_MAX_SPEED_HZ: | 450 | case SPI_IOC_WR_MAX_SPEED_HZ: |
| 469 | retval = __get_user(tmp, (__u32 __user *)arg); | 451 | retval = get_user(tmp, (__u32 __user *)arg); |
| 470 | if (retval == 0) { | 452 | if (retval == 0) { |
| 471 | u32 save = spi->max_speed_hz; | 453 | u32 save = spi->max_speed_hz; |
| 472 | 454 | ||
| @@ -516,8 +498,6 @@ spidev_compat_ioc_message(struct file *filp, unsigned int cmd, | |||
| 516 | struct spi_ioc_transfer *ioc; | 498 | struct spi_ioc_transfer *ioc; |
| 517 | 499 | ||
| 518 | u_ioc = (struct spi_ioc_transfer __user *) compat_ptr(arg); | 500 | u_ioc = (struct spi_ioc_transfer __user *) compat_ptr(arg); |
| 519 | if (!access_ok(VERIFY_READ, u_ioc, _IOC_SIZE(cmd))) | ||
| 520 | return -EFAULT; | ||
| 521 | 501 | ||
| 522 | /* guard against device removal before, or while, | 502 | /* guard against device removal before, or while, |
| 523 | * we issue this ioctl. | 503 | * we issue this ioctl. |