提交 118326e9 编写于 作者: P Peter Osterlund 提交者: Greg KH

[PATCH] Fix root hole in pktcdvd

ioctl_by_bdev may only be used INSIDE the kernel.  If the "arg" argument
refers to memory that is accessed by put_user/get_user in the ioctl
function, the memory needs to be in the kernel address space (that's the
set_fs(KERNEL_DS) doing in the ioctl_by_bdev).  This works on i386 because
even with set_fs(KERNEL_DS) the user space memory is still accessible with
put_user/get_user.  That is not true for s390.  In short the ioctl
implementation of the pktcdvd device driver is horribly broken.
Signed-off-by: NPeter Osterlund <petero2@telia.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
上级 68f66feb
...@@ -2406,7 +2406,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u ...@@ -2406,7 +2406,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u
case CDROM_LAST_WRITTEN: case CDROM_LAST_WRITTEN:
case CDROM_SEND_PACKET: case CDROM_SEND_PACKET:
case SCSI_IOCTL_SEND_COMMAND: case SCSI_IOCTL_SEND_COMMAND:
return ioctl_by_bdev(pd->bdev, cmd, arg); return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
case CDROMEJECT: case CDROMEJECT:
/* /*
...@@ -2414,7 +2414,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u ...@@ -2414,7 +2414,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u
* have to unlock it or else the eject command fails. * have to unlock it or else the eject command fails.
*/ */
pkt_lock_door(pd, 0); pkt_lock_door(pd, 0);
return ioctl_by_bdev(pd->bdev, cmd, arg); return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);
default: default:
printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd); printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册