wan/farsync: copy_from_user() to iomem is wrong

kmalloc intermediate buffer(), do copy_from_user() + memcpy_toio() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Garzik <jeff@garzik.org>
author: Al Viro <viro@ftp.linux.org.uk> 2008-03-16 18:22:44 -0400
committer: Jeff Garzik <jeff@garzik.org> 2008-03-17 07:56:29 -0400
commit: 5ffa6d7f613ca0198dae235986443cd921fa2e75 (patch)
tree: f91ae00e87f9adf78e9b0ad5f3f2e7fe1e49ea94 /drivers
parent: ed773b4ab1387a25b3be027d45c94daae3c8a607 (diff)
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
index cf27bf40d36e..547368e9633d 100644
--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -2024,6 +2024,7 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
        struct fstioc_write wrthdr;
        struct fstioc_info info;
        unsigned long flags;
+        void *buf;
        dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);
@@ -2065,16 +2066,22 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                        return -ENXIO;
                }
-                /* Now copy the data to the card.
+                /* Now copy the data to the card. */
-                 * This will probably break on some architectures.
-                 * I'll fix it when I have something to test on.
+                buf = kmalloc(wrthdr.size, GFP_KERNEL);
-                 */
+                if (!buf)
-                if (copy_from_user(card->mem + wrthdr.offset,
+                        return -ENOMEM;
+                if (copy_from_user(buf,
                                   ifr->ifr_data + sizeof (struct fstioc_write),
                                   wrthdr.size)) {
+                        kfree(buf);
                        return -EFAULT;
                }
+                memcpy_toio(card->mem + wrthdr.offset, buf, wrthdr.size);
+                kfree(buf);
                /* Writes to the memory of a card in the reset state constitute
                 * a download
                 */
author	Al Viro <viro@ftp.linux.org.uk>	2008-03-16 18:22:44 -0400
committer	Jeff Garzik <jeff@garzik.org>	2008-03-17 07:56:29 -0400
commit	5ffa6d7f613ca0198dae235986443cd921fa2e75 (patch)
tree	f91ae00e87f9adf78e9b0ad5f3f2e7fe1e49ea94 /drivers
parent	ed773b4ab1387a25b3be027d45c94daae3c8a607 (diff)

diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c index cf27bf40d36e..547368e9633d 100644 --- a/drivers/net/wan/farsync.c +++ b/drivers/net/wan/farsync.c
@@ -2024,6 +2024,7 @@ fst_ioctl(struct net_device dev, struct ifreq ifr, int cmd)
2024	struct fstioc_write wrthdr;	2024	struct fstioc_write wrthdr;
2025	struct fstioc_info info;	2025	struct fstioc_info info;
2026	unsigned long flags;	2026	unsigned long flags;
		2027	void *buf;
2027		2028
2028	dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);	2029	dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);
2029		2030
@@ -2065,16 +2066,22 @@ fst_ioctl(struct net_device dev, struct ifreq ifr, int cmd)
2065	return -ENXIO;	2066	return -ENXIO;
2066	}	2067	}
2067		2068
2068	/* Now copy the data to the card.	2069	/* Now copy the data to the card. */
2069	* This will probably break on some architectures.	2070
2070	* I'll fix it when I have something to test on.	2071	buf = kmalloc(wrthdr.size, GFP_KERNEL);
2071	*/	2072	if (!buf)
2072	if (copy_from_user(card->mem + wrthdr.offset,	2073	return -ENOMEM;
		2074
		2075	if (copy_from_user(buf,
2073	ifr->ifr_data + sizeof (struct fstioc_write),	2076	ifr->ifr_data + sizeof (struct fstioc_write),
2074	wrthdr.size)) {	2077	wrthdr.size)) {
		2078	kfree(buf);
2075	return -EFAULT;	2079	return -EFAULT;
2076	}	2080	}
2077		2081
		2082	memcpy_toio(card->mem + wrthdr.offset, buf, wrthdr.size);
		2083	kfree(buf);
		2084
2078	/* Writes to the memory of a card in the reset state constitute	2085	/* Writes to the memory of a card in the reset state constitute
2079	* a download	2086	* a download
2080	*/	2087	*/