staging/lustre/llite: Fix improper userspace access in ll_fiemap

Cannot use memcpy, but use copy_to/from_user instead

Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c
index 6652fdf2ca8a28f085df273a5d2d08d9430265cb..9e50e9e19a281285506834bb5e70f2c54610058a 100644 (file)
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -3033,19 +3033,26 @@ static int ll_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
        fiemap->fm_extent_count = fieinfo->fi_extents_max;
        fiemap->fm_start = start;
        fiemap->fm_length = len;
-       if (extent_count > 0)
-               memcpy(&fiemap->fm_extents[0], fieinfo->fi_extents_start,
-                      sizeof(struct ll_fiemap_extent));
+       if (extent_count > 0 &&
+           copy_from_user(&fiemap->fm_extents[0], fieinfo->fi_extents_start,
+                          sizeof(struct ll_fiemap_extent)) != 0) {
+               rc = -EFAULT;
+               goto out;
+       }
 
        rc = ll_do_fiemap(inode, fiemap, num_bytes);
 
        fieinfo->fi_flags = fiemap->fm_flags;
        fieinfo->fi_extents_mapped = fiemap->fm_mapped_extents;
-       if (extent_count > 0)
-               memcpy(fieinfo->fi_extents_start, &fiemap->fm_extents[0],
-                      fiemap->fm_mapped_extents *
-                      sizeof(struct ll_fiemap_extent));
+       if (extent_count > 0 &&
+           copy_to_user(fieinfo->fi_extents_start, &fiemap->fm_extents[0],
+                        fiemap->fm_mapped_extents *
+                        sizeof(struct ll_fiemap_extent)) != 0) {
+               rc = -EFAULT;
+               goto out;
+       }
 
+out:
        kvfree(fiemap);
        return rc;
 }