wan/farsync: copy_from_user() to iomem is wrong
authorAl Viro <viro@ftp.linux.org.uk>
Sun, 16 Mar 2008 22:22:44 +0000 (22:22 +0000)
committerJeff Garzik <jeff@garzik.org>
Mon, 17 Mar 2008 11:56:29 +0000 (07:56 -0400)
kmalloc intermediate buffer(), do copy_from_user() + memcpy_toio()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
drivers/net/wan/farsync.c

index cf27bf40d36eefe7285b67e9884bc87bbdee9af2..547368e9633d7bd511ceb3a4820146bd87e12486 100644 (file)
@@ -2024,6 +2024,7 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
        struct fstioc_write wrthdr;
        struct fstioc_info info;
        unsigned long flags;
+       void *buf;
 
        dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);
 
@@ -2065,16 +2066,22 @@ fst_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                        return -ENXIO;
                }
 
-               /* Now copy the data to the card.
-                * This will probably break on some architectures.
-                * I'll fix it when I have something to test on.
-                */
-               if (copy_from_user(card->mem + wrthdr.offset,
+               /* Now copy the data to the card. */
+
+               buf = kmalloc(wrthdr.size, GFP_KERNEL);
+               if (!buf)
+                       return -ENOMEM;
+
+               if (copy_from_user(buf,
                                   ifr->ifr_data + sizeof (struct fstioc_write),
                                   wrthdr.size)) {
+                       kfree(buf);
                        return -EFAULT;
                }
 
+               memcpy_toio(card->mem + wrthdr.offset, buf, wrthdr.size);
+               kfree(buf);
+
                /* Writes to the memory of a card in the reset state constitute
                 * a download
                 */