s390/pci: fix possible information leak in mmio syscall

Make sure that even in error situations we do not use copy_to_user on uninitialized kernel memory. Cc: stable@vger.kernel.org # 3.19+ Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
author: Sebastian Ott <sebott@linux.vnet.ibm.com> 2015-02-25 07:17:48 -0500
committer: Martin Schwidefsky <schwidefsky@de.ibm.com> 2015-02-26 03:24:48 -0500
commit: f0483044c1c96089256cda4cf182eea1ead77fe4 (patch)
tree: 796dbcd919384e53c5bab81ccd14e6aed6b4a663
parent: 3a9f9183bdd341a25c7805d96bbd78a31d559381 (diff)
1 files changed, 8 insertions, 9 deletions
diff --git a/arch/s390/pci/pci_mmio.c b/arch/s390/pci/pci_mmio.c
index 8aa271b3d1ad..b1bb2b72302c 100644
--- a/arch/s390/pci/pci_mmio.c
+++ b/arch/s390/pci/pci_mmio.c
@@ -64,8 +64,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, unsigned long, mmio_addr,
        if (copy_from_user(buf, user_buffer, length))
                goto out;
-        memcpy_toio(io_addr, buf, length);
+        ret = zpci_memcpy_toio(io_addr, buf, length);
-        ret = 0;
 out:
        if (buf != local_buf)
                kfree(buf);
@@ -98,16 +97,16 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsigned long, mmio_addr,
                goto out;
        io_addr = (void __iomem *)((pfn << PAGE_SHIFT) | (mmio_addr & ~PAGE_MASK));
-        ret = -EFAULT;
+        if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE) {
-        if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE)
+                ret = -EFAULT;
                goto out;
+        }
-        memcpy_fromio(buf, io_addr, length);
+        ret = zpci_memcpy_fromio(buf, io_addr, length);
+        if (ret)
-        if (copy_to_user(user_buffer, buf, length))
                goto out;
+        if (copy_to_user(user_buffer, buf, length))
+                ret = -EFAULT;
-        ret = 0;
 out:
        if (buf != local_buf)
                kfree(buf);
author	Sebastian Ott <sebott@linux.vnet.ibm.com>	2015-02-25 07:17:48 -0500
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	2015-02-26 03:24:48 -0500
commit	f0483044c1c96089256cda4cf182eea1ead77fe4 (patch)
tree	796dbcd919384e53c5bab81ccd14e6aed6b4a663
parent	3a9f9183bdd341a25c7805d96bbd78a31d559381 (diff)

diff --git a/arch/s390/pci/pci_mmio.c b/arch/s390/pci/pci_mmio.c index 8aa271b3d1ad..b1bb2b72302c 100644 --- a/arch/s390/pci/pci_mmio.c +++ b/arch/s390/pci/pci_mmio.c
@@ -64,8 +64,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, unsigned long, mmio_addr,
64	if (copy_from_user(buf, user_buffer, length))	64	if (copy_from_user(buf, user_buffer, length))
65	goto out;	65	goto out;
66		66
67	memcpy_toio(io_addr, buf, length);	67	ret = zpci_memcpy_toio(io_addr, buf, length);
68	ret = 0;
69	out:	68	out:
70	if (buf != local_buf)	69	if (buf != local_buf)
71	kfree(buf);	70	kfree(buf);
@@ -98,16 +97,16 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsigned long, mmio_addr,
98	goto out;	97	goto out;
99	io_addr = (void __iomem *)((pfn << PAGE_SHIFT) \| (mmio_addr & ~PAGE_MASK));	98	io_addr = (void __iomem *)((pfn << PAGE_SHIFT) \| (mmio_addr & ~PAGE_MASK));
100		99
101	ret = -EFAULT;	100	if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE) {
102	if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE)	101	ret = -EFAULT;
103	goto out;	102	goto out;
104		103	}
105	memcpy_fromio(buf, io_addr, length);	104	ret = zpci_memcpy_fromio(buf, io_addr, length);
106		105	if (ret)
107	if (copy_to_user(user_buffer, buf, length))
108	goto out;	106	goto out;
		107	if (copy_to_user(user_buffer, buf, length))
		108	ret = -EFAULT;
109		109
110	ret = 0;
111	out:	110	out:
112	if (buf != local_buf)	111	if (buf != local_buf)
113	kfree(buf);	112	kfree(buf);