From patchwork Thu Jun 19 21:52:15 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dsneddon@codeaurora.org X-Patchwork-Id: 4386471 Return-Path: X-Original-To: patchwork-linux-spi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 1001CBEEAA for ; Thu, 19 Jun 2014 21:52:19 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 406CE203AA for ; Thu, 19 Jun 2014 21:52:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 631AB203A0 for ; Thu, 19 Jun 2014 21:52:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965677AbaFSVwR (ORCPT ); Thu, 19 Jun 2014 17:52:17 -0400 Received: from smtp.codeaurora.org ([198.145.11.231]:44347 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965749AbaFSVwQ (ORCPT ); Thu, 19 Jun 2014 17:52:16 -0400 Received: from smtp.codeaurora.org (localhost [127.0.0.1]) by smtp.codeaurora.org (Postfix) with ESMTP id D0B64140092; Thu, 19 Jun 2014 21:52:15 +0000 (UTC) Received: by smtp.codeaurora.org (Postfix, from userid 486) id C1F9414009D; Thu, 19 Jun 2014 21:52:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, DOS_FAKE_SQUIRREL, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from www.codeaurora.org (pdx-caf-fw-vip.codeaurora.org [198.145.11.226]) by smtp.codeaurora.org (Postfix) with ESMTP id 84D8A140092; Thu, 19 Jun 2014 21:52:15 +0000 (UTC) Received: from 172.30.200.101 (proxying for 199.106.103.253) (SquirrelMail authenticated user dsneddon) by www.codeaurora.org with HTTP; Thu, 19 Jun 2014 21:52:15 -0000 Message-ID: <4277a609d7431f34663d19a006a5ada6.squirrel@www.codeaurora.org> Date: Thu, 19 Jun 2014 21:52:15 -0000 Subject: [PATCH] spi: spidev: Fix user-space memory access. From: dsneddon@codeaurora.org To: linux-spi@vger.kernel.org Cc: broonie@kernel.org, linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org User-Agent: SquirrelMail/1.4.22-4.el6 MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-spi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When the spidev module tries to access the user space memory passed in via an IOCTL the compat_ptr function should be called to ensure compatibility between kernel space and user space. Signed-off-by: Dan Sneddon --- drivers/spi/spidev.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) } -- 1.8.4 --- sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, hosted by The Linux Foundation -- To unsubscribe from this list: send the line "unsubscribe linux-spi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c index e3bc23b..3a45158 100644 --- a/drivers/spi/spidev.c +++ b/drivers/spi/spidev.c @@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data *spidev, if (u_tmp->rx_buf) { k_tmp->rx_buf = buf; if (!access_ok(VERIFY_WRITE, (u8 __user *) - (uintptr_t) u_tmp->rx_buf, + (uintptr_t)compat_ptr( + u_tmp->rx_buf), u_tmp->len)) goto done; } if (u_tmp->tx_buf) { k_tmp->tx_buf = buf; if (copy_from_user(buf, (const u8 __user *) - (uintptr_t) u_tmp->tx_buf, + (uintptr_t)compat_ptr( + u_tmp->tx_buf), u_tmp->len)) goto done; } @@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev, for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) { if (u_tmp->rx_buf) { if (__copy_to_user((u8 __user *) - (uintptr_t) u_tmp->rx_buf, buf, - u_tmp->len)) { + (uintptr_t)compat_ptr(u_tmp->rx_buf), + buf, u_tmp->len)) { status = -EFAULT; goto done;