aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2008-05-20 13:12:48 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-05-20 13:12:48 -0400
commitc110a2bd82676a8f124cf4dfc39339fd366f0e59 (patch)
tree3637991fd8b21c22b5083546f67132dbe2dda5a4
parent81b2dbcad86732ffc02bad87aa25c4651199fc77 (diff)
parent551f4cb9de716ffcdaf968c99a450c22ff12e8c3 (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: prevent userspace from accessing shut down devices ieee1394: sbp2: use correct size of command descriptor block
Diffstat
-rw-r--r--drivers/firewire/fw-cdev.c14
-rw-r--r--drivers/ieee1394/sbp2.c20
2 files changed, 22 insertions, 12 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c
index 4a541921a14a..dda14015e873 100644
--- a/drivers/firewire/fw-cdev.c
+++ b/drivers/firewire/fw-cdev.c
@@ -113,6 +113,11 @@ static int fw_device_op_open(struct inode *inode, struct file *file)
113 if (device == NULL) 113 if (device == NULL)
114 return -ENODEV; 114 return -ENODEV;
115 115
116 if (fw_device_is_shutdown(device)) {
117 fw_device_put(device);
118 return -ENODEV;
119 }
120
116 client = kzalloc(sizeof(*client), GFP_KERNEL); 121 client = kzalloc(sizeof(*client), GFP_KERNEL);
117 if (client == NULL) { 122 if (client == NULL) {
118 fw_device_put(device); 123 fw_device_put(device);
@@ -901,6 +906,9 @@ fw_device_op_ioctl(struct file *file,
901{ 906{
902 struct client *client = file->private_data; 907 struct client *client = file->private_data;
903 908
909 if (fw_device_is_shutdown(client->device))
910 return -ENODEV;
911
904 return dispatch_ioctl(client, cmd, (void __user *) arg); 912 return dispatch_ioctl(client, cmd, (void __user *) arg);
905} 913}
906 914
@@ -911,6 +919,9 @@ fw_device_op_compat_ioctl(struct file *file,
911{ 919{
912 struct client *client = file->private_data; 920 struct client *client = file->private_data;
913 921
922 if (fw_device_is_shutdown(client->device))
923 return -ENODEV;
924
914 return dispatch_ioctl(client, cmd, compat_ptr(arg)); 925 return dispatch_ioctl(client, cmd, compat_ptr(arg));
915} 926}
916#endif 927#endif
@@ -922,6 +933,9 @@ static int fw_device_op_mmap(struct file *file, struct vm_area_struct *vma)
922 unsigned long size; 933 unsigned long size;
923 int page_count, retval; 934 int page_count, retval;
924 935
936 if (fw_device_is_shutdown(client->device))
937 return -ENODEV;
938
925 /* FIXME: We could support multiple buffers, but we don't. */ 939 /* FIXME: We could support multiple buffers, but we don't. */
926 if (client->buffer.pages != NULL) 940 if (client->buffer.pages != NULL)
927 return -EBUSY; 941 return -EBUSY;
diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c
index 16b9d0ad154e..a5ceff287a28 100644
--- a/drivers/ieee1394/sbp2.c
+++ b/drivers/ieee1394/sbp2.c
@@ -1539,15 +1539,13 @@ static void sbp2_prep_command_orb_sg(struct sbp2_command_orb *orb,
1539 1539
1540static void sbp2_create_command_orb(struct sbp2_lu *lu, 1540static void sbp2_create_command_orb(struct sbp2_lu *lu,
1541 struct sbp2_command_info *cmd, 1541 struct sbp2_command_info *cmd,
1542 unchar *scsi_cmd, 1542 struct scsi_cmnd *SCpnt)
1543 unsigned int scsi_use_sg,
1544 unsigned int scsi_request_bufflen,
1545 struct scatterlist *sg,
1546 enum dma_data_direction dma_dir)
1547{ 1543{
1548 struct sbp2_fwhost_info *hi = lu->hi; 1544 struct sbp2_fwhost_info *hi = lu->hi;
1549 struct sbp2_command_orb *orb = &cmd->command_orb; 1545 struct sbp2_command_orb *orb = &cmd->command_orb;
1550 u32 orb_direction; 1546 u32 orb_direction;
1547 unsigned int scsi_request_bufflen = scsi_bufflen(SCpnt);
1548 enum dma_data_direction dma_dir = SCpnt->sc_data_direction;
1551 1549
1552 /* 1550 /*
1553 * Set-up our command ORB. 1551 * Set-up our command ORB.
@@ -1580,13 +1578,14 @@ static void sbp2_create_command_orb(struct sbp2_lu *lu,
1580 orb->data_descriptor_lo = 0x0; 1578 orb->data_descriptor_lo = 0x0;
1581 orb->misc |= ORB_SET_DIRECTION(1); 1579 orb->misc |= ORB_SET_DIRECTION(1);
1582 } else 1580 } else
1583 sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_use_sg, sg, 1581 sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_sg_count(SCpnt),
1582 scsi_sglist(SCpnt),
1584 orb_direction, dma_dir); 1583 orb_direction, dma_dir);
1585 1584
1586 sbp2util_cpu_to_be32_buffer(orb, sizeof(*orb)); 1585 sbp2util_cpu_to_be32_buffer(orb, sizeof(*orb));
1587 1586
1588 memset(orb->cdb, 0, 12); 1587 memset(orb->cdb, 0, sizeof(orb->cdb));
1589 memcpy(orb->cdb, scsi_cmd, COMMAND_SIZE(*scsi_cmd)); 1588 memcpy(orb->cdb, SCpnt->cmnd, SCpnt->cmd_len);
1590} 1589}
1591 1590
1592static void sbp2_link_orb_command(struct sbp2_lu *lu, 1591static void sbp2_link_orb_command(struct sbp2_lu *lu,
@@ -1669,16 +1668,13 @@ static void sbp2_link_orb_command(struct sbp2_lu *lu,
1669static int sbp2_send_command(struct sbp2_lu *lu, struct scsi_cmnd *SCpnt, 1668static int sbp2_send_command(struct sbp2_lu *lu, struct scsi_cmnd *SCpnt,
1670 void (*done)(struct scsi_cmnd *)) 1669 void (*done)(struct scsi_cmnd *))
1671{ 1670{
1672 unchar *scsi_cmd = (unchar *)SCpnt->cmnd;
1673 struct sbp2_command_info *cmd; 1671 struct sbp2_command_info *cmd;
1674 1672
1675 cmd = sbp2util_allocate_command_orb(lu, SCpnt, done); 1673 cmd = sbp2util_allocate_command_orb(lu, SCpnt, done);
1676 if (!cmd) 1674 if (!cmd)
1677 return -EIO; 1675 return -EIO;
1678 1676
1679 sbp2_create_command_orb(lu, cmd, scsi_cmd, scsi_sg_count(SCpnt), 1677 sbp2_create_command_orb(lu, cmd, SCpnt);
1680 scsi_bufflen(SCpnt), scsi_sglist(SCpnt),
1681 SCpnt->sc_data_direction);
1682 sbp2_link_orb_command(lu, cmd); 1678 sbp2_link_orb_command(lu, cmd);
1683 1679
1684 return 0; 1680 return 0;
generated by cgit v1.2.2 (git 2.25.0) at 2026-02-24 22:12:43 -0500