Skip to content

Commit f0e4de5

Browse files
author
Al Viro
committed
comedi: do_cmdtest_ioctl(): lift copyin/copyout into the caller
Signed-off-by: Al Viro <[email protected]>
1 parent 00035be commit f0e4de5

File tree

1 file changed

+22
-23
lines changed

1 file changed

+22
-23
lines changed

drivers/staging/comedi/comedi_fops.c

Lines changed: 22 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1856,49 +1856,39 @@ static int do_cmd_ioctl(struct comedi_device *dev,
18561856
* possibly modified comedi_cmd structure
18571857
*/
18581858
static int do_cmdtest_ioctl(struct comedi_device *dev,
1859-
struct comedi_cmd __user *arg, void *file)
1859+
struct comedi_cmd *cmd, bool *copy, void *file)
18601860
{
1861-
struct comedi_cmd cmd;
18621861
struct comedi_subdevice *s;
18631862
unsigned int __user *user_chanlist;
18641863
int ret;
18651864

18661865
lockdep_assert_held(&dev->mutex);
18671866

1868-
if (copy_from_user(&cmd, arg, sizeof(cmd))) {
1869-
dev_dbg(dev->class_dev, "bad cmd address\n");
1870-
return -EFAULT;
1871-
}
1872-
1873-
/* get the user's cmd and do some simple validation */
1874-
ret = __comedi_get_user_cmd(dev, &cmd);
1867+
/* do some simple cmd validation */
1868+
ret = __comedi_get_user_cmd(dev, cmd);
18751869
if (ret)
18761870
return ret;
18771871

18781872
/* save user's chanlist pointer so it can be restored later */
1879-
user_chanlist = (unsigned int __user *)cmd.chanlist;
1873+
user_chanlist = (unsigned int __user *)cmd->chanlist;
18801874

1881-
s = &dev->subdevices[cmd.subdev];
1875+
s = &dev->subdevices[cmd->subdev];
18821876

18831877
/* user_chanlist can be NULL for COMEDI_CMDTEST ioctl */
18841878
if (user_chanlist) {
18851879
/* load channel/gain list */
1886-
ret = __comedi_get_user_chanlist(dev, s, user_chanlist, &cmd);
1880+
ret = __comedi_get_user_chanlist(dev, s, user_chanlist, cmd);
18871881
if (ret)
18881882
return ret;
18891883
}
18901884

1891-
ret = s->do_cmdtest(dev, s, &cmd);
1885+
ret = s->do_cmdtest(dev, s, cmd);
18921886

1893-
kfree(cmd.chanlist); /* free kernel copy of user chanlist */
1887+
kfree(cmd->chanlist); /* free kernel copy of user chanlist */
18941888

18951889
/* restore chanlist pointer before copying back */
1896-
cmd.chanlist = (unsigned int __force *)user_chanlist;
1897-
1898-
if (copy_to_user(arg, &cmd, sizeof(cmd))) {
1899-
dev_dbg(dev->class_dev, "bad cmd address\n");
1900-
ret = -EFAULT;
1901-
}
1890+
cmd->chanlist = (unsigned int __force *)user_chanlist;
1891+
*copy = true;
19021892

19031893
return ret;
19041894
}
@@ -2220,10 +2210,19 @@ static long comedi_unlocked_ioctl(struct file *file, unsigned int cmd,
22202210
case COMEDI_CMD:
22212211
rc = do_cmd_ioctl(dev, (struct comedi_cmd __user *)arg, file);
22222212
break;
2223-
case COMEDI_CMDTEST:
2224-
rc = do_cmdtest_ioctl(dev, (struct comedi_cmd __user *)arg,
2225-
file);
2213+
case COMEDI_CMDTEST: {
2214+
struct comedi_cmd cmd;
2215+
bool copy = false;
2216+
2217+
if (copy_from_user(&cmd, (void __user *)arg, sizeof(cmd))) {
2218+
rc = -EFAULT;
2219+
break;
2220+
}
2221+
rc = do_cmdtest_ioctl(dev, &cmd, &copy, file);
2222+
if (copy && copy_to_user((void __user *)arg, &cmd, sizeof(cmd)))
2223+
rc = -EFAULT;
22262224
break;
2225+
}
22272226
case COMEDI_INSNLIST: {
22282227
struct comedi_insnlist insnlist;
22292228
struct comedi_insn *insns = NULL;

0 commit comments

Comments
 (0)