fix rawctl compat ioctls breakage on amd64 and itanic

RAW_SETBIND and RAW_GETBIND 32bit versions are fscked in interesting ways. 1) fs/compat_ioctl.c has COMPATIBLE_IOCTL(RAW_SETBIND) followed by HANDLE_IOCTL(RAW_SETBIND, raw_ioctl). The latter is ignored. 2) on amd64 (and itanic) the damn thing is broken - we have int + u64 + u64 and layouts on i386 and amd64 are _not_ the same. raw_ioctl() would work there, but it's never called due to (1). As it is, i386 /sbin/raw definitely doesn't work on amd64 boxen. 3) switching to raw_ioctl() as is would *not* work on e.g. sparc64 and ppc64, which would be rather sad, seeing that normal userland there is 32bit. The thing is, slapping __packed on the struct in question does not DTRT - it eliminates *all* padding. The real solution is to use compat_u64. 4) of course, all that stuff has no business being outside of raw.c in the first place - there should be ->compat_ioctl() for /dev/rawctl instead of messing with compat_ioctl.c. [akpm@linux-foundation.org: coding-style fixes] [arnd@arndb.de: port to 2.6.36] Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
author: Al Viro <viro@ZenIV.linux.org.uk> 2009-08-24 18:42:56 -0400
committer: Arnd Bergmann <arnd@arndb.de> 2010-10-19 05:29:54 -0400
commit: c4a047272566b44b44222369d50a307c708c4f74 (patch)
tree: 05f3883b35741afb8afec90c61891f8a1b2c8da9 /drivers/char/raw.c
parent: 9a181c58617134822ae596339dbea076ef9b5cf7 (diff)
1 files changed, 140 insertions, 103 deletions
diff --git a/drivers/char/raw.c b/drivers/char/raw.c
index b38942f6bf31..24b2b9160aa6 100644
--- a/drivers/char/raw.c
+++ b/drivers/char/raw.c
@@ -19,8 +19,8 @@
 #include <linux/cdev.h>
 #include <linux/device.h>
 #include <linux/mutex.h>
-#include <linux/smp_lock.h>
 #include <linux/gfp.h>
+#include <linux/compat.h>
 #include <asm/uaccess.h>
@@ -55,7 +55,6 @@ static int raw_open(struct inode *inode, struct file *filp)
                return 0;
        }
-        lock_kernel();
        mutex_lock(&raw_mutex);
        /*
@@ -82,7 +81,6 @@ static int raw_open(struct inode *inode, struct file *filp)
                        bdev->bd_inode->i_mapping;
        filp->private_data = bdev;
        mutex_unlock(&raw_mutex);
-        unlock_kernel();
        return 0;
 out2:
@@ -91,7 +89,6 @@ out1:
        blkdev_put(bdev, filp->f_mode);
 out:
        mutex_unlock(&raw_mutex);
-        unlock_kernel();
        return err;
 }
@@ -125,20 +122,84 @@ static long
 raw_ioctl(struct file *filp, unsigned int command, unsigned long arg)
 {
        struct block_device *bdev = filp->private_data;
-        int ret;
+        return blkdev_ioctl(bdev, 0, command, arg);
+}
+static int bind_set(int number, u64 major, u64 minor)
+{
+        dev_t dev = MKDEV(major, minor);
+        struct raw_device_data *rawdev;
+        int err = 0;
-        lock_kernel();
+        if (number <= 0 || number >= MAX_RAW_MINORS)
-        ret = blkdev_ioctl(bdev, 0, command, arg);
+                return -EINVAL;
-        unlock_kernel();
-        return ret;
+        if (MAJOR(dev) != major || MINOR(dev) != minor)
+                return -EINVAL;
+        rawdev = &raw_devices[number];
+        /*
+         * This is like making block devices, so demand the
+         * same capability
+         */
+        if (!capable(CAP_SYS_ADMIN))
+                return -EPERM;
+        /*
+         * For now, we don't need to check that the underlying
+         * block device is present or not: we can do that when
+         * the raw device is opened.  Just check that the
+         * major/minor numbers make sense.
+         */
+        if (MAJOR(dev) == 0 && dev != 0)
+                return -EINVAL;
+        mutex_lock(&raw_mutex);
+        if (rawdev->inuse) {
+                mutex_unlock(&raw_mutex);
+                return -EBUSY;
+        }
+        if (rawdev->binding) {
+                bdput(rawdev->binding);
+                module_put(THIS_MODULE);
+        }
+        if (!dev) {
+                /* unbind */
+                rawdev->binding = NULL;
+                device_destroy(raw_class, MKDEV(RAW_MAJOR, number));
+        } else {
+                rawdev->binding = bdget(dev);
+                if (rawdev->binding == NULL) {
+                        err = -ENOMEM;
+                } else {
+                        dev_t raw = MKDEV(RAW_MAJOR, number);
+                        __module_get(THIS_MODULE);
+                        device_destroy(raw_class, raw);
+                        device_create(raw_class, NULL, raw, NULL,
+                                      "raw%d", number);
+                }
+        }
+        mutex_unlock(&raw_mutex);
+        return err;
 }
-static void bind_device(struct raw_config_request *rq)
+static int bind_get(int number, dev_t *dev)
 {
-        device_destroy(raw_class, MKDEV(RAW_MAJOR, rq->raw_minor));
+        struct raw_device_data *rawdev;
-        device_create(raw_class, NULL, MKDEV(RAW_MAJOR, rq->raw_minor), NULL,
+        struct block_device *bdev;
-                      "raw%d", rq->raw_minor);
+        if (number <= 0 || number >= MAX_RAW_MINORS)
+                return -EINVAL;
+        rawdev = &raw_devices[number];
+        mutex_lock(&raw_mutex);
+        bdev = rawdev->binding;
+        *dev = bdev ? bdev->bd_dev : 0;
+        mutex_unlock(&raw_mutex);
+        return 0;
 }
 /*
@@ -149,105 +210,78 @@ static long raw_ctl_ioctl(struct file *filp, unsigned int command,
                          unsigned long arg)
 {
        struct raw_config_request rq;
-        struct raw_device_data *rawdev;
+        dev_t dev;
-        int err = 0;
+        int err;
-        lock_kernel();
        switch (command) {
        case RAW_SETBIND:
+                if (copy_from_user(&rq, (void __user *) arg, sizeof(rq)))
+                        return -EFAULT;
+                return bind_set(rq.raw_minor, rq.block_major, rq.block_minor);
        case RAW_GETBIND:
+                if (copy_from_user(&rq, (void __user *) arg, sizeof(rq)))
+                        return -EFAULT;
-                /* First, find out which raw minor we want */
+                err = bind_get(rq.raw_minor, &dev);
+                if (err)
+                        return err;
-                if (copy_from_user(&rq, (void __user *) arg, sizeof(rq))) {
+                rq.block_major = MAJOR(dev);
-                        err = -EFAULT;
+                rq.block_minor = MINOR(dev);
-                        goto out;
-                }
-                if (rq.raw_minor <= 0 || rq.raw_minor >= MAX_RAW_MINORS) {
+                if (copy_to_user((void __user *)arg, &rq, sizeof(rq)))
-                        err = -EINVAL;
+                        return -EFAULT;
-                        goto out;
-                }
+                return 0;
-                rawdev = &raw_devices[rq.raw_minor];
-                if (command == RAW_SETBIND) {
-                        dev_t dev;
-                        /*
-                         * This is like making block devices, so demand the
-                         * same capability
-                         */
-                        if (!capable(CAP_SYS_ADMIN)) {
-                                err = -EPERM;
-                                goto out;
-                        }
-                        /*
-                         * For now, we don't need to check that the underlying
-                         * block device is present or not: we can do that when
-                         * the raw device is opened.  Just check that the
-                         * major/minor numbers make sense.
-                         */
-                        dev = MKDEV(rq.block_major, rq.block_minor);
-                        if ((rq.block_major == 0 && rq.block_minor != 0) ||
-                                        MAJOR(dev) != rq.block_major ||
-                                        MINOR(dev) != rq.block_minor) {
-                                err = -EINVAL;
-                                goto out;
-                        }
-                        mutex_lock(&raw_mutex);
-                        if (rawdev->inuse) {
-                                mutex_unlock(&raw_mutex);
-                                err = -EBUSY;
-                                goto out;
-                        }
-                        if (rawdev->binding) {
-                                bdput(rawdev->binding);
-                                module_put(THIS_MODULE);
-                        }
-                        if (rq.block_major == 0 && rq.block_minor == 0) {
-                                /* unbind */
-                                rawdev->binding = NULL;
-                                device_destroy(raw_class,
-                                                MKDEV(RAW_MAJOR, rq.raw_minor));
-                        } else {
-                                rawdev->binding = bdget(dev);
-                                if (rawdev->binding == NULL)
-                                        err = -ENOMEM;
-                                else {
-                                        __module_get(THIS_MODULE);
-                                        bind_device(&rq);
-                                }
-                        }
-                        mutex_unlock(&raw_mutex);
-                } else {
-                        struct block_device *bdev;
-                        mutex_lock(&raw_mutex);
-                        bdev = rawdev->binding;
-                        if (bdev) {
-                                rq.block_major = MAJOR(bdev->bd_dev);
-                                rq.block_minor = MINOR(bdev->bd_dev);
-                        } else {
-                                rq.block_major = rq.block_minor = 0;
-                        }
-                        mutex_unlock(&raw_mutex);
-                        if (copy_to_user((void __user *)arg, &rq, sizeof(rq))) {
-                                err = -EFAULT;
-                                goto out;
-                        }
-                }
-                break;
-        default:
-                err = -EINVAL;
-                break;
        }
-out:
-        unlock_kernel();
+        return -EINVAL;
-        return err;
+}
+#ifdef CONFIG_COMPAT
+struct raw32_config_request {
+        compat_int_t    raw_minor;
+        compat_u64      block_major;
+        compat_u64      block_minor;
+};
+static long raw_ctl_compat_ioctl(struct file *file, unsigned int cmd,
+                                unsigned long arg)
+{
+        struct raw32_config_request __user *user_req = compat_ptr(arg);
+        struct raw32_config_request rq;
+        dev_t dev;
+        int err = 0;
+        switch (cmd) {
+        case RAW_SETBIND:
+                if (copy_from_user(&rq, user_req, sizeof(rq)))
+                        return -EFAULT;
+                return bind_set(rq.raw_minor, rq.block_major, rq.block_minor);
+        case RAW_GETBIND:
+                if (copy_from_user(&rq, user_req, sizeof(rq)))
+                        return -EFAULT;
+                err = bind_get(rq.raw_minor, &dev);
+                if (err)
+                        return err;
+                rq.block_major = MAJOR(dev);
+                rq.block_minor = MINOR(dev);
+                if (copy_to_user(user_req, &rq, sizeof(rq)))
+                        return -EFAULT;
+                return 0;
+        }
+        return -EINVAL;
 }
+#endif
 static const struct file_operations raw_fops = {
        .read           = do_sync_read,
@@ -263,6 +297,9 @@ static const struct file_operations raw_fops = {
 static const struct file_operations raw_ctl_fops = {
        .unlocked_ioctl = raw_ctl_ioctl,
+#ifdef CONFIG_COMPAT
+        .compat_ioctl   = raw_ctl_compat_ioctl,
+#endif
        .open           = raw_open,
        .owner          = THIS_MODULE,
 };
author	Al Viro <viro@ZenIV.linux.org.uk>	2009-08-24 18:42:56 -0400
committer	Arnd Bergmann <arnd@arndb.de>	2010-10-19 05:29:54 -0400
commit	c4a047272566b44b44222369d50a307c708c4f74 (patch)
tree	05f3883b35741afb8afec90c61891f8a1b2c8da9 /drivers/char/raw.c
parent	9a181c58617134822ae596339dbea076ef9b5cf7 (diff)

diff --git a/drivers/char/raw.c b/drivers/char/raw.c index b38942f6bf31..24b2b9160aa6 100644 --- a/drivers/char/raw.c +++ b/drivers/char/raw.c
@@ -19,8 +19,8 @@
19	#include <linux/cdev.h>	19	#include <linux/cdev.h>
20	#include <linux/device.h>	20	#include <linux/device.h>
21	#include <linux/mutex.h>	21	#include <linux/mutex.h>
22	#include <linux/smp_lock.h>
23	#include <linux/gfp.h>	22	#include <linux/gfp.h>
		23	#include <linux/compat.h>
24		24
25	#include <asm/uaccess.h>	25	#include <asm/uaccess.h>
26		26
@@ -55,7 +55,6 @@ static int raw_open(struct inode inode, struct file filp)
55	return 0;	55	return 0;
56	}	56	}
57		57
58	lock_kernel();
59	mutex_lock(&raw_mutex);	58	mutex_lock(&raw_mutex);
60		59
61	/*	60	/*
@@ -82,7 +81,6 @@ static int raw_open(struct inode inode, struct file filp)
82	bdev->bd_inode->i_mapping;	81	bdev->bd_inode->i_mapping;
83	filp->private_data = bdev;	82	filp->private_data = bdev;
84	mutex_unlock(&raw_mutex);	83	mutex_unlock(&raw_mutex);
85	unlock_kernel();
86	return 0;	84	return 0;
87		85
88	out2:	86	out2:
@@ -91,7 +89,6 @@ out1:
91	blkdev_put(bdev, filp->f_mode);	89	blkdev_put(bdev, filp->f_mode);
92	out:	90	out:
93	mutex_unlock(&raw_mutex);	91	mutex_unlock(&raw_mutex);
94	unlock_kernel();
95	return err;	92	return err;
96	}	93	}
97		94
@@ -125,20 +122,84 @@ static long
125	raw_ioctl(struct file *filp, unsigned int command, unsigned long arg)	122	raw_ioctl(struct file *filp, unsigned int command, unsigned long arg)
126	{	123	{
127	struct block_device *bdev = filp->private_data;	124	struct block_device *bdev = filp->private_data;
128	int ret;	125	return blkdev_ioctl(bdev, 0, command, arg);
		126	}
		127
		128	static int bind_set(int number, u64 major, u64 minor)
		129	{
		130	dev_t dev = MKDEV(major, minor);
		131	struct raw_device_data *rawdev;
		132	int err = 0;
129		133
130	lock_kernel();	134	if (number <= 0 \|\| number >= MAX_RAW_MINORS)
131	ret = blkdev_ioctl(bdev, 0, command, arg);	135	return -EINVAL;
132	unlock_kernel();
133		136
134	return ret;	137	if (MAJOR(dev) != major \|\| MINOR(dev) != minor)
		138	return -EINVAL;
		139
		140	rawdev = &raw_devices[number];
		141
		142	/*
		143	* This is like making block devices, so demand the
		144	* same capability
		145	*/
		146	if (!capable(CAP_SYS_ADMIN))
		147	return -EPERM;
		148
		149	/*
		150	* For now, we don't need to check that the underlying
		151	* block device is present or not: we can do that when
		152	* the raw device is opened. Just check that the
		153	* major/minor numbers make sense.
		154	*/
		155
		156	if (MAJOR(dev) == 0 && dev != 0)
		157	return -EINVAL;
		158
		159	mutex_lock(&raw_mutex);
		160	if (rawdev->inuse) {
		161	mutex_unlock(&raw_mutex);
		162	return -EBUSY;
		163	}
		164	if (rawdev->binding) {
		165	bdput(rawdev->binding);
		166	module_put(THIS_MODULE);
		167	}
		168	if (!dev) {
		169	/* unbind */
		170	rawdev->binding = NULL;
		171	device_destroy(raw_class, MKDEV(RAW_MAJOR, number));
		172	} else {
		173	rawdev->binding = bdget(dev);
		174	if (rawdev->binding == NULL) {
		175	err = -ENOMEM;
		176	} else {
		177	dev_t raw = MKDEV(RAW_MAJOR, number);
		178	__module_get(THIS_MODULE);
		179	device_destroy(raw_class, raw);
		180	device_create(raw_class, NULL, raw, NULL,
		181	"raw%d", number);
		182	}
		183	}
		184	mutex_unlock(&raw_mutex);
		185	return err;
135	}	186	}
136		187
137	static void bind_device(struct raw_config_request *rq)	188	static int bind_get(int number, dev_t *dev)
138	{	189	{
139	device_destroy(raw_class, MKDEV(RAW_MAJOR, rq->raw_minor));	190	struct raw_device_data *rawdev;
140	device_create(raw_class, NULL, MKDEV(RAW_MAJOR, rq->raw_minor), NULL,	191	struct block_device *bdev;
141	"raw%d", rq->raw_minor);	192
		193	if (number <= 0 \|\| number >= MAX_RAW_MINORS)
		194	return -EINVAL;
		195
		196	rawdev = &raw_devices[number];
		197
		198	mutex_lock(&raw_mutex);
		199	bdev = rawdev->binding;
		200	*dev = bdev ? bdev->bd_dev : 0;
		201	mutex_unlock(&raw_mutex);
		202	return 0;
142	}	203	}
143		204
144	/*	205	/*
@@ -149,105 +210,78 @@ static long raw_ctl_ioctl(struct file *filp, unsigned int command,
149	unsigned long arg)	210	unsigned long arg)
150	{	211	{
151	struct raw_config_request rq;	212	struct raw_config_request rq;
152	struct raw_device_data *rawdev;	213	dev_t dev;
153	int err = 0;	214	int err;
154		215
155	lock_kernel();
156	switch (command) {	216	switch (command) {
157	case RAW_SETBIND:	217	case RAW_SETBIND:
		218	if (copy_from_user(&rq, (void __user *) arg, sizeof(rq)))
		219	return -EFAULT;
		220
		221	return bind_set(rq.raw_minor, rq.block_major, rq.block_minor);
		222
158	case RAW_GETBIND:	223	case RAW_GETBIND:
		224	if (copy_from_user(&rq, (void __user *) arg, sizeof(rq)))
		225	return -EFAULT;
159		226
160	/* First, find out which raw minor we want */	227	err = bind_get(rq.raw_minor, &dev);
		228	if (err)
		229	return err;
161		230
162	if (copy_from_user(&rq, (void __user *) arg, sizeof(rq))) {	231	rq.block_major = MAJOR(dev);
163	err = -EFAULT;	232	rq.block_minor = MINOR(dev);
164	goto out;
165	}
166		233
167	if (rq.raw_minor <= 0 \|\| rq.raw_minor >= MAX_RAW_MINORS) {	234	if (copy_to_user((void __user *)arg, &rq, sizeof(rq)))
168	err = -EINVAL;	235	return -EFAULT;
169	goto out;	236
170	}	237	return 0;
171	rawdev = &raw_devices[rq.raw_minor];
172
173	if (command == RAW_SETBIND) {
174	dev_t dev;
175
176	/*
177	* This is like making block devices, so demand the
178	* same capability
179	*/
180	if (!capable(CAP_SYS_ADMIN)) {
181	err = -EPERM;
182	goto out;
183	}
184
185	/*
186	* For now, we don't need to check that the underlying
187	* block device is present or not: we can do that when
188	* the raw device is opened. Just check that the
189	* major/minor numbers make sense.
190	*/
191
192	dev = MKDEV(rq.block_major, rq.block_minor);
193	if ((rq.block_major == 0 && rq.block_minor != 0) \|\|
194	MAJOR(dev) != rq.block_major \|\|
195	MINOR(dev) != rq.block_minor) {
196	err = -EINVAL;
197	goto out;
198	}
199
200	mutex_lock(&raw_mutex);
201	if (rawdev->inuse) {
202	mutex_unlock(&raw_mutex);
203	err = -EBUSY;
204	goto out;
205	}
206	if (rawdev->binding) {
207	bdput(rawdev->binding);
208	module_put(THIS_MODULE);
209	}
210	if (rq.block_major == 0 && rq.block_minor == 0) {
211	/* unbind */
212	rawdev->binding = NULL;
213	device_destroy(raw_class,
214	MKDEV(RAW_MAJOR, rq.raw_minor));
215	} else {
216	rawdev->binding = bdget(dev);
217	if (rawdev->binding == NULL)
218	err = -ENOMEM;
219	else {
220	__module_get(THIS_MODULE);
221	bind_device(&rq);
222	}
223	}
224	mutex_unlock(&raw_mutex);
225	} else {
226	struct block_device *bdev;
227
228	mutex_lock(&raw_mutex);
229	bdev = rawdev->binding;
230	if (bdev) {
231	rq.block_major = MAJOR(bdev->bd_dev);
232	rq.block_minor = MINOR(bdev->bd_dev);
233	} else {
234	rq.block_major = rq.block_minor = 0;
235	}
236	mutex_unlock(&raw_mutex);
237	if (copy_to_user((void __user *)arg, &rq, sizeof(rq))) {
238	err = -EFAULT;
239	goto out;
240	}
241	}
242	break;
243	default:
244	err = -EINVAL;
245	break;
246	}	238	}
247	out:	239
248	unlock_kernel();	240	return -EINVAL;
249	return err;	241	}
		242
		243	#ifdef CONFIG_COMPAT
		244	struct raw32_config_request {
		245	compat_int_t raw_minor;
		246	compat_u64 block_major;
		247	compat_u64 block_minor;
		248	};
		249
		250	static long raw_ctl_compat_ioctl(struct file *file, unsigned int cmd,
		251	unsigned long arg)
		252	{
		253	struct raw32_config_request __user *user_req = compat_ptr(arg);
		254	struct raw32_config_request rq;
		255	dev_t dev;
		256	int err = 0;
		257
		258	switch (cmd) {
		259	case RAW_SETBIND:
		260	if (copy_from_user(&rq, user_req, sizeof(rq)))
		261	return -EFAULT;
		262
		263	return bind_set(rq.raw_minor, rq.block_major, rq.block_minor);
		264
		265	case RAW_GETBIND:
		266	if (copy_from_user(&rq, user_req, sizeof(rq)))
		267	return -EFAULT;
		268
		269	err = bind_get(rq.raw_minor, &dev);
		270	if (err)
		271	return err;
		272
		273	rq.block_major = MAJOR(dev);
		274	rq.block_minor = MINOR(dev);
		275
		276	if (copy_to_user(user_req, &rq, sizeof(rq)))
		277	return -EFAULT;
		278
		279	return 0;
		280	}
		281
		282	return -EINVAL;
250	}	283	}
		284	#endif
251		285
252	static const struct file_operations raw_fops = {	286	static const struct file_operations raw_fops = {
253	.read = do_sync_read,	287	.read = do_sync_read,
@@ -263,6 +297,9 @@ static const struct file_operations raw_fops = {
263		297
264	static const struct file_operations raw_ctl_fops = {	298	static const struct file_operations raw_ctl_fops = {
265	.unlocked_ioctl = raw_ctl_ioctl,	299	.unlocked_ioctl = raw_ctl_ioctl,
		300	#ifdef CONFIG_COMPAT
		301	.compat_ioctl = raw_ctl_compat_ioctl,
		302	#endif
266	.open = raw_open,	303	.open = raw_open,
267	.owner = THIS_MODULE,	304	.owner = THIS_MODULE,
268	};	305	};