diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-20 13:12:48 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-20 13:12:48 -0400 |
commit | c110a2bd82676a8f124cf4dfc39339fd366f0e59 (patch) | |
tree | 3637991fd8b21c22b5083546f67132dbe2dda5a4 | |
parent | 81b2dbcad86732ffc02bad87aa25c4651199fc77 (diff) | |
parent | 551f4cb9de716ffcdaf968c99a450c22ff12e8c3 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: prevent userspace from accessing shut down devices
ieee1394: sbp2: use correct size of command descriptor block
-rw-r--r-- | drivers/firewire/fw-cdev.c | 14 | ||||
-rw-r--r-- | drivers/ieee1394/sbp2.c | 20 |
2 files changed, 22 insertions, 12 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c index 4a541921a14a..dda14015e873 100644 --- a/drivers/firewire/fw-cdev.c +++ b/drivers/firewire/fw-cdev.c | |||
@@ -113,6 +113,11 @@ static int fw_device_op_open(struct inode *inode, struct file *file) | |||
113 | if (device == NULL) | 113 | if (device == NULL) |
114 | return -ENODEV; | 114 | return -ENODEV; |
115 | 115 | ||
116 | if (fw_device_is_shutdown(device)) { | ||
117 | fw_device_put(device); | ||
118 | return -ENODEV; | ||
119 | } | ||
120 | |||
116 | client = kzalloc(sizeof(*client), GFP_KERNEL); | 121 | client = kzalloc(sizeof(*client), GFP_KERNEL); |
117 | if (client == NULL) { | 122 | if (client == NULL) { |
118 | fw_device_put(device); | 123 | fw_device_put(device); |
@@ -901,6 +906,9 @@ fw_device_op_ioctl(struct file *file, | |||
901 | { | 906 | { |
902 | struct client *client = file->private_data; | 907 | struct client *client = file->private_data; |
903 | 908 | ||
909 | if (fw_device_is_shutdown(client->device)) | ||
910 | return -ENODEV; | ||
911 | |||
904 | return dispatch_ioctl(client, cmd, (void __user *) arg); | 912 | return dispatch_ioctl(client, cmd, (void __user *) arg); |
905 | } | 913 | } |
906 | 914 | ||
@@ -911,6 +919,9 @@ fw_device_op_compat_ioctl(struct file *file, | |||
911 | { | 919 | { |
912 | struct client *client = file->private_data; | 920 | struct client *client = file->private_data; |
913 | 921 | ||
922 | if (fw_device_is_shutdown(client->device)) | ||
923 | return -ENODEV; | ||
924 | |||
914 | return dispatch_ioctl(client, cmd, compat_ptr(arg)); | 925 | return dispatch_ioctl(client, cmd, compat_ptr(arg)); |
915 | } | 926 | } |
916 | #endif | 927 | #endif |
@@ -922,6 +933,9 @@ static int fw_device_op_mmap(struct file *file, struct vm_area_struct *vma) | |||
922 | unsigned long size; | 933 | unsigned long size; |
923 | int page_count, retval; | 934 | int page_count, retval; |
924 | 935 | ||
936 | if (fw_device_is_shutdown(client->device)) | ||
937 | return -ENODEV; | ||
938 | |||
925 | /* FIXME: We could support multiple buffers, but we don't. */ | 939 | /* FIXME: We could support multiple buffers, but we don't. */ |
926 | if (client->buffer.pages != NULL) | 940 | if (client->buffer.pages != NULL) |
927 | return -EBUSY; | 941 | return -EBUSY; |
diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c index 16b9d0ad154e..a5ceff287a28 100644 --- a/drivers/ieee1394/sbp2.c +++ b/drivers/ieee1394/sbp2.c | |||
@@ -1539,15 +1539,13 @@ static void sbp2_prep_command_orb_sg(struct sbp2_command_orb *orb, | |||
1539 | 1539 | ||
1540 | static void sbp2_create_command_orb(struct sbp2_lu *lu, | 1540 | static void sbp2_create_command_orb(struct sbp2_lu *lu, |
1541 | struct sbp2_command_info *cmd, | 1541 | struct sbp2_command_info *cmd, |
1542 | unchar *scsi_cmd, | 1542 | struct scsi_cmnd *SCpnt) |
1543 | unsigned int scsi_use_sg, | ||
1544 | unsigned int scsi_request_bufflen, | ||
1545 | struct scatterlist *sg, | ||
1546 | enum dma_data_direction dma_dir) | ||
1547 | { | 1543 | { |
1548 | struct sbp2_fwhost_info *hi = lu->hi; | 1544 | struct sbp2_fwhost_info *hi = lu->hi; |
1549 | struct sbp2_command_orb *orb = &cmd->command_orb; | 1545 | struct sbp2_command_orb *orb = &cmd->command_orb; |
1550 | u32 orb_direction; | 1546 | u32 orb_direction; |
1547 | unsigned int scsi_request_bufflen = scsi_bufflen(SCpnt); | ||
1548 | enum dma_data_direction dma_dir = SCpnt->sc_data_direction; | ||
1551 | 1549 | ||
1552 | /* | 1550 | /* |
1553 | * Set-up our command ORB. | 1551 | * Set-up our command ORB. |
@@ -1580,13 +1578,14 @@ static void sbp2_create_command_orb(struct sbp2_lu *lu, | |||
1580 | orb->data_descriptor_lo = 0x0; | 1578 | orb->data_descriptor_lo = 0x0; |
1581 | orb->misc |= ORB_SET_DIRECTION(1); | 1579 | orb->misc |= ORB_SET_DIRECTION(1); |
1582 | } else | 1580 | } else |
1583 | sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_use_sg, sg, | 1581 | sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_sg_count(SCpnt), |
1582 | scsi_sglist(SCpnt), | ||
1584 | orb_direction, dma_dir); | 1583 | orb_direction, dma_dir); |
1585 | 1584 | ||
1586 | sbp2util_cpu_to_be32_buffer(orb, sizeof(*orb)); | 1585 | sbp2util_cpu_to_be32_buffer(orb, sizeof(*orb)); |
1587 | 1586 | ||
1588 | memset(orb->cdb, 0, 12); | 1587 | memset(orb->cdb, 0, sizeof(orb->cdb)); |
1589 | memcpy(orb->cdb, scsi_cmd, COMMAND_SIZE(*scsi_cmd)); | 1588 | memcpy(orb->cdb, SCpnt->cmnd, SCpnt->cmd_len); |
1590 | } | 1589 | } |
1591 | 1590 | ||
1592 | static void sbp2_link_orb_command(struct sbp2_lu *lu, | 1591 | static void sbp2_link_orb_command(struct sbp2_lu *lu, |
@@ -1669,16 +1668,13 @@ static void sbp2_link_orb_command(struct sbp2_lu *lu, | |||
1669 | static int sbp2_send_command(struct sbp2_lu *lu, struct scsi_cmnd *SCpnt, | 1668 | static int sbp2_send_command(struct sbp2_lu *lu, struct scsi_cmnd *SCpnt, |
1670 | void (*done)(struct scsi_cmnd *)) | 1669 | void (*done)(struct scsi_cmnd *)) |
1671 | { | 1670 | { |
1672 | unchar *scsi_cmd = (unchar *)SCpnt->cmnd; | ||
1673 | struct sbp2_command_info *cmd; | 1671 | struct sbp2_command_info *cmd; |
1674 | 1672 | ||
1675 | cmd = sbp2util_allocate_command_orb(lu, SCpnt, done); | 1673 | cmd = sbp2util_allocate_command_orb(lu, SCpnt, done); |
1676 | if (!cmd) | 1674 | if (!cmd) |
1677 | return -EIO; | 1675 | return -EIO; |
1678 | 1676 | ||
1679 | sbp2_create_command_orb(lu, cmd, scsi_cmd, scsi_sg_count(SCpnt), | 1677 | sbp2_create_command_orb(lu, cmd, SCpnt); |
1680 | scsi_bufflen(SCpnt), scsi_sglist(SCpnt), | ||
1681 | SCpnt->sc_data_direction); | ||
1682 | sbp2_link_orb_command(lu, cmd); | 1678 | sbp2_link_orb_command(lu, cmd); |
1683 | 1679 | ||
1684 | return 0; | 1680 | return 0; |