CVSROOT: /home/cvs
Module name: linux
Changes by: ralf@ftp.linux-mips.org 05/03/17 21:50:49
Modified files:
include/asm-mips: inventory.h uaccess.h
arch/mips/kernel: irixelf.c irixinv.c irixioctl.c irixsig.c
sysirix.c unaligned.c
arch/mips/math-emu: dsemul.c
arch/mips/mm : cache.c
Log message:
Get rid of all verify_area() calls, this API is about to go away. The
lion part is dealing with the megamess the IRIX compat code still is.
It's now in a state where it's nearly sparse clean and all unprotected
userspace accesses I was able to find are fixed.
diff -urN linux/include/asm-mips/inventory.h linux/include/asm-mips/inventory.h
--- linux/include/asm-mips/inventory.h 2002/10/31 20:37:22 1.4
+++ linux/include/asm-mips/inventory.h 2005/03/17 21:50:49 1.5
@@ -4,6 +4,8 @@
#ifndef __ASM_INVENTORY_H
#define __ASM_INVENTORY_H
+#include <linux/compiler.h>
+
typedef struct inventory_s {
struct inventory_s *inv_next;
int inv_class;
@@ -14,7 +16,9 @@
} inventory_t;
extern int inventory_items;
-void add_to_inventory (int class, int type, int controller, int unit, int
state);
-int dump_inventory_to_user (void *userbuf, int size);
+
+extern void add_to_inventory (int class, int type, int controller, int unit,
int state);
+extern int dump_inventory_to_user (void __user *userbuf, int size);
+extern int __init init_inventory(void);
#endif /* __ASM_INVENTORY_H */
diff -urN linux/include/asm-mips/uaccess.h linux/include/asm-mips/uaccess.h
--- linux/include/asm-mips/uaccess.h 2005/03/17 20:36:06 1.44
+++ linux/include/asm-mips/uaccess.h 2005/03/17 21:50:49 1.45
@@ -252,12 +252,11 @@
({ \
const __typeof__(*(ptr)) __user * __gu_addr = (ptr); \
__typeof__(*(ptr)) __gu_val = 0; \
- long __gu_err; \
+ long __gu_err = -EFAULT; \
\
might_sleep(); \
\
- __gu_err = verify_area(VERIFY_READ, __gu_addr, size); \
- if (likely(!__gu_err)) { \
+ if (likely(access_ok(VERIFY_READ, __gu_addr, size))) { \
switch (size) { \
case 1: __get_user_asm("lb", __gu_addr); break; \
case 2: __get_user_asm("lh", __gu_addr); break; \
@@ -283,7 +282,7 @@
" "__UA_ADDR "\t1b, 3b \n" \
" .previous \n" \
: "=r" (__gu_err), "=r" (__gu_val) \
- : "0" (__gu_err), "o" (__m(addr)), "i" (-EFAULT)); \
+ : "0" (0), "o" (__m(addr)), "i" (-EFAULT)); \
}
/*
@@ -306,7 +305,7 @@
" " __UA_ADDR " 2b, 4b \n" \
" .previous \n" \
: "=r" (__gu_err), "=&r" (__gu_val) \
- : "0" (__gu_err), "r" (addr), "i" (-EFAULT)); \
+ : "0" (0), "r" (addr), "i" (-EFAULT)); \
}
extern void __get_user_unknown(void);
@@ -342,12 +341,11 @@
({ \
__typeof__(*(ptr)) __user *__pu_addr = (ptr); \
__typeof__(*(ptr)) __pu_val = (x); \
- long __pu_err; \
+ long __pu_err = -EFAULT; \
\
might_sleep(); \
\
- __pu_err = verify_area(VERIFY_WRITE, __pu_addr, size); \
- if (likely(!__pu_err)) { \
+ if (likely(access_ok(VERIFY_WRITE, __pu_addr, size))) { \
switch (size) { \
case 1: __put_user_asm("sb", __pu_addr); break; \
case 2: __put_user_asm("sh", __pu_addr); break; \
@@ -372,7 +370,7 @@
" " __UA_ADDR " 1b, 3b \n" \
" .previous \n" \
: "=r" (__pu_err) \
- : "0" (__pu_err), "Jr" (__pu_val), "o" (__m(ptr)), \
+ : "0" (0), "Jr" (__pu_val), "o" (__m(ptr)), \
"i" (-EFAULT)); \
}
@@ -391,7 +389,7 @@
" " __UA_ADDR " 2b, 4b \n" \
" .previous" \
: "=r" (__pu_err) \
- : "0" (__pu_err), "r" (__pu_val), "r" (ptr), \
+ : "0" (0), "r" (__pu_val), "r" (ptr), \
"i" (-EFAULT)); \
}
diff -urN linux/arch/mips/kernel/irixelf.c linux/arch/mips/kernel/irixelf.c
--- linux/arch/mips/kernel/irixelf.c 2005/03/14 03:28:17 1.67
+++ linux/arch/mips/kernel/irixelf.c 2005/03/17 21:50:49 1.68
@@ -40,7 +40,7 @@
#include <linux/elf.h>
-#undef DEBUG_ELF
+#undef DEBUG
static int load_irix_binary(struct linux_binprm * bprm, struct pt_regs * regs);
static int load_irix_library(struct file *);
@@ -56,7 +56,7 @@
#define elf_addr_t unsigned long
#endif
-#ifdef DEBUG_ELF
+#ifdef DEBUG
/* Debugging routines. */
static char *get_elf_p_type(Elf32_Word p_type)
{
@@ -121,7 +121,7 @@
print_phdr(i, ep);
}
}
-#endif /* (DEBUG_ELF) */
+#endif /* DEBUG */
static void set_brk(unsigned long start, unsigned long end)
{
@@ -147,20 +147,20 @@
nbyte = elf_bss & (PAGE_SIZE-1);
if (nbyte) {
nbyte = PAGE_SIZE - nbyte;
- clear_user((void *) elf_bss, nbyte);
+ clear_user((void __user *) elf_bss, nbyte);
}
}
-unsigned long * create_irix_tables(char * p, int argc, int envc,
- struct elfhdr * exec, unsigned int load_addr,
- unsigned int interp_load_addr,
- struct pt_regs *regs, struct elf_phdr *ephdr)
+static unsigned long * create_irix_tables(char * p, int argc, int envc,
+ struct elfhdr * exec, unsigned int load_addr,
+ unsigned int interp_load_addr, struct pt_regs *regs,
+ struct elf_phdr *ephdr)
{
elf_addr_t *argv;
elf_addr_t *envp;
elf_addr_t *sp, *csp;
-#ifdef DEBUG_ELF
+#ifdef DEBUG
printk("create_irix_tables: p[%p] argc[%d] envc[%d] "
"load_addr[%08x] interp_load_addr[%08x]\n",
p, argc, envc, load_addr, interp_load_addr);
@@ -249,7 +249,7 @@
last_bss = 0;
error = load_addr = 0;
-#ifdef DEBUG_ELF
+#ifdef DEBUG
print_elfhdr(interp_elf_ex);
#endif
@@ -290,7 +290,7 @@
(char *) elf_phdata,
sizeof(struct elf_phdr) * interp_elf_ex->e_phnum);
-#ifdef DEBUG_ELF
+#ifdef DEBUG
dump_phdrs(elf_phdata, interp_elf_ex->e_phnum);
#endif
@@ -306,13 +306,11 @@
elf_type |= MAP_FIXED;
vaddr = eppnt->p_vaddr;
-#ifdef DEBUG_ELF
- printk("INTERP do_mmap(%p, %08lx, %08lx, %08lx, %08lx, %08lx) ",
+ pr_debug("INTERP do_mmap(%p, %08lx, %08lx, %08lx, %08lx, %08lx) ",
interpreter, vaddr,
(unsigned long) (eppnt->p_filesz + (eppnt->p_vaddr & 0xfff)),
(unsigned long) elf_prot, (unsigned long) elf_type,
(unsigned long) (eppnt->p_offset & 0xfffff000));
-#endif
down_write(¤t->mm->mmap_sem);
error = do_mmap(interpreter, vaddr,
eppnt->p_filesz + (eppnt->p_vaddr & 0xfff),
@@ -324,14 +322,10 @@
printk("Aieee IRIX interp mmap error=%d\n", error);
break; /* Real error */
}
-#ifdef DEBUG_ELF
- printk("error=%08lx ", (unsigned long) error);
-#endif
+ pr_debug("error=%08lx ", (unsigned long) error);
if(!load_addr && interp_elf_ex->e_type == ET_DYN) {
load_addr = error;
-#ifdef DEBUG_ELF
- printk("load_addr = error ");
-#endif
+ pr_debug("load_addr = error ");
}
/* Find the end of the file mapping for this phdr, and keep
@@ -345,17 +339,13 @@
*/
k = eppnt->p_memsz + eppnt->p_vaddr;
if(k > last_bss) last_bss = k;
-#ifdef DEBUG_ELF
- printk("\n");
-#endif
+ pr_debug("\n");
}
}
/* Now use mmap to map the library into memory. */
if(error < 0 && error > -1024) {
-#ifdef DEBUG_ELF
- printk("got error %d\n", error);
-#endif
+ pr_debug("got error %d\n", error);
kfree(elf_phdata);
return 0xffffffff;
}
@@ -365,16 +355,12 @@
* that there are zero-mapped pages up to and including the
* last bss page.
*/
-#ifdef DEBUG_ELF
- printk("padzero(%08lx) ", (unsigned long) (elf_bss));
-#endif
+ pr_debug("padzero(%08lx) ", (unsigned long) (elf_bss));
padzero(elf_bss);
len = (elf_bss + 0xfff) & 0xfffff000; /* What we have mapped so far */
-#ifdef DEBUG_ELF
- printk("last_bss[%08lx] len[%08lx]\n", (unsigned long) last_bss,
- (unsigned long) len);
-#endif
+ pr_debug("last_bss[%08lx] len[%08lx]\n", (unsigned long) last_bss,
+ (unsigned long) len);
/* Map the last of the bss segment */
if (last_bss > len) {
@@ -559,7 +545,7 @@
* process and the system, here we map the page and fill the
* structure
*/
-void irix_map_prda_page (void)
+static void irix_map_prda_page(void)
{
unsigned long v;
struct prda *pp;
@@ -598,7 +584,7 @@
load_addr = 0;
has_interp = has_ephdr = 0;
- elf_ihdr = elf_ephdr = 0;
+ elf_ihdr = elf_ephdr = NULL;
elf_ex = *((struct elfhdr *) bprm->buf);
retval = -ENOEXEC;
@@ -624,7 +610,7 @@
if (elf_ex.e_shnum > 20)
goto out;
-#ifdef DEBUG_ELF
+#ifdef DEBUG
print_elfhdr(&elf_ex);
#endif
@@ -642,7 +628,7 @@
if (retval < 0)
goto out_free_ph;
-#ifdef DEBUG_ELF
+#ifdef DEBUG
dump_phdrs(elf_phdata, elf_ex.e_phnum);
#endif
@@ -659,9 +645,8 @@
break;
};
}
-#ifdef DEBUG_ELF
- printk("\n");
-#endif
+
+ pr_debug("\n");
elf_bss = 0;
elf_brk = 0;
@@ -768,18 +753,16 @@
* IRIX maps a page at 0x200000 which holds some system
* information. Programs depend on this.
*/
- irix_map_prda_page ();
+ irix_map_prda_page();
padzero(elf_bss);
-#ifdef DEBUG_ELF
- printk("(start_brk) %lx\n" , (long) current->mm->start_brk);
- printk("(end_code) %lx\n" , (long) current->mm->end_code);
- printk("(start_code) %lx\n" , (long) current->mm->start_code);
- printk("(end_data) %lx\n" , (long) current->mm->end_data);
- printk("(start_stack) %lx\n" , (long) current->mm->start_stack);
- printk("(brk) %lx\n" , (long) current->mm->brk);
-#endif
+ pr_debug("(start_brk) %lx\n" , (long) current->mm->start_brk);
+ pr_debug("(end_code) %lx\n" , (long) current->mm->end_code);
+ pr_debug("(start_code) %lx\n" , (long) current->mm->start_code);
+ pr_debug("(end_data) %lx\n" , (long) current->mm->end_data);
+ pr_debug("(start_stack) %lx\n" , (long) current->mm->start_stack);
+ pr_debug("(brk) %lx\n" , (long) current->mm->brk);
#if 0 /* XXX No fucking way dude... */
/* Why this, you ask??? Well SVr4 maps page 0 as read-only,
@@ -896,36 +879,36 @@
* phdrs there are in the USER_PHDRP array. We return the vaddr the
* first phdr was successfully mapped to.
*/
-unsigned long irix_mapelf(int fd, struct elf_phdr *user_phdrp, int cnt)
+unsigned long irix_mapelf(int fd, struct elf_phdr __user *user_phdrp, int cnt)
{
- struct elf_phdr *hp;
+ unsigned long type, vaddr, filesz, offset, flags;
+ struct elf_phdr __user *hp;
struct file *filp;
int i, retval;
-#ifdef DEBUG_ELF
- printk("irix_mapelf: fd[%d] user_phdrp[%p] cnt[%d]\n",
- fd, user_phdrp, cnt);
-#endif
+ pr_debug("irix_mapelf: fd[%d] user_phdrp[%p] cnt[%d]\n",
+ fd, user_phdrp, cnt);
/* First get the verification out of the way. */
hp = user_phdrp;
- retval = verify_area(VERIFY_READ, hp, (sizeof(struct elf_phdr) * cnt));
- if(retval) {
-#ifdef DEBUG_ELF
- printk("irix_mapelf: verify_area fails!\n");
-#endif
- return retval;
+ if (!access_ok(VERIFY_READ, hp, (sizeof(struct elf_phdr) * cnt))) {
+ pr_debug("irix_mapelf: bad pointer to ELF PHDR!\n");
+
+ return -EFAULT;
}
-#ifdef DEBUG_ELF
+#ifdef DEBUG
dump_phdrs(user_phdrp, cnt);
#endif
- for(i = 0; i < cnt; i++, hp++)
- if(hp->p_type != PT_LOAD) {
+ for (i = 0; i < cnt; i++, hp++) {
+ if (__get_user(type, &hp->p_type))
+ return -EFAULT;
+ if (type != PT_LOAD) {
printk("irix_mapelf: One section is not PT_LOAD!\n");
return -ENOEXEC;
}
+ }
filp = fget(fd);
if (!filp)
@@ -940,29 +923,40 @@
for(i = 0; i < cnt; i++, hp++) {
int prot;
- prot = (hp->p_flags & PF_R) ? PROT_READ : 0;
- prot |= (hp->p_flags & PF_W) ? PROT_WRITE : 0;
- prot |= (hp->p_flags & PF_X) ? PROT_EXEC : 0;
+ retval = __get_user(vaddr, &hp->p_vaddr);
+ retval |= __get_user(filesz, &hp->p_filesz);
+ retval |= __get_user(offset, &hp->p_offset);
+ retval |= __get_user(flags, &hp->p_flags);
+ if (retval)
+ return retval;
+
+ prot = (flags & PF_R) ? PROT_READ : 0;
+ prot |= (flags & PF_W) ? PROT_WRITE : 0;
+ prot |= (flags & PF_X) ? PROT_EXEC : 0;
+
down_write(¤t->mm->mmap_sem);
- retval = do_mmap(filp, (hp->p_vaddr & 0xfffff000),
- (hp->p_filesz + (hp->p_vaddr & 0xfff)),
+ retval = do_mmap(filp, (vaddr & 0xfffff000),
+ (filesz + (vaddr & 0xfff)),
prot, (MAP_FIXED | MAP_PRIVATE |
MAP_DENYWRITE),
- (hp->p_offset & 0xfffff000));
+ (offset & 0xfffff000));
up_write(¤t->mm->mmap_sem);
- if(retval != (hp->p_vaddr & 0xfffff000)) {
+ if (retval != (vaddr & 0xfffff000)) {
printk("irix_mapelf: do_mmap fails with %d!\n", retval);
fput(filp);
return retval;
}
}
-#ifdef DEBUG_ELF
- printk("irix_mapelf: Success, returning %08lx\n",
- (unsigned long) user_phdrp->p_vaddr);
-#endif
+ pr_debug("irix_mapelf: Success, returning %08lx\n",
+ (unsigned long) user_phdrp->p_vaddr);
+
fput(filp);
- return user_phdrp->p_vaddr;
+
+ if (__get_user(vaddr, &user_phdrp->p_vaddr))
+ return -EFAULT;
+
+ return vaddr;
}
/*
@@ -975,9 +969,9 @@
/* These are the only things you should do on a core-file: use only these
* functions to write out all the necessary info.
*/
-static int dump_write(struct file *file, const void *addr, int nr)
+static int dump_write(struct file *file, const void __user *addr, int nr)
{
- return file->f_op->write(file, addr, nr, &file->f_pos) == nr;
+ return file->f_op->write(file, (const char __user *) addr, nr,
&file->f_pos) == nr;
}
static int dump_seek(struct file *file, off_t off)
@@ -1096,7 +1090,7 @@
/* Count what's needed to dump, up to the limit of coredump size. */
segs = 0;
size = 0;
- for(vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) {
+ for (vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) {
if (maydump(vma))
{
int sz = vma->vm_end-vma->vm_start;
@@ -1210,9 +1204,9 @@
len = current->mm->arg_end - current->mm->arg_start;
len = len >= ELF_PRARGSZ ? ELF_PRARGSZ : len;
- copy_from_user(&psinfo.pr_psargs,
- (const char *)current->mm->arg_start, len);
- for(i = 0; i < len; i++)
+ (void *) copy_from_user(&psinfo.pr_psargs,
+ (const char __user *)current->mm->arg_start,
len);
+ for (i = 0; i < len; i++)
if (psinfo.pr_psargs[i] == 0)
psinfo.pr_psargs[i] = ' ';
psinfo.pr_psargs[len] = 0;
@@ -1279,8 +1273,10 @@
phdr.p_memsz = sz;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
- if (vma->vm_flags & VM_WRITE) phdr.p_flags |= PF_W;
- if (vma->vm_flags & VM_EXEC) phdr.p_flags |= PF_X;
+ if (vma->vm_flags & VM_WRITE)
+ phdr.p_flags |= PF_W;
+ if (vma->vm_flags & VM_EXEC)
+ phdr.p_flags |= PF_X;
phdr.p_align = PAGE_SIZE;
DUMP_WRITE(&phdr, sizeof(phdr));
@@ -1306,7 +1302,7 @@
#ifdef DEBUG
printk("elf_core_dump: writing %08lx %lx\n", addr, len);
#endif
- DUMP_WRITE((void *)addr, len);
+ DUMP_WRITE((void __user *)addr, len);
}
if ((off_t) file->f_pos != offset) {
diff -urN linux/arch/mips/kernel/irixinv.c linux/arch/mips/kernel/irixinv.c
--- linux/arch/mips/kernel/irixinv.c 2005/01/07 04:26:49 1.9
+++ linux/arch/mips/kernel/irixinv.c 2005/03/17 21:50:49 1.10
@@ -30,18 +30,19 @@
inventory_items++;
}
-int dump_inventory_to_user (void *userbuf, int size)
+int dump_inventory_to_user (void __user *userbuf, int size)
{
inventory_t *inv = &inventory [0];
- inventory_t *user = userbuf;
+ inventory_t __user *user = userbuf;
int v;
- if ((v = verify_area (VERIFY_WRITE, userbuf, size)))
- return v;
+ if (!access_ok(VERIFY_WRITE, userbuf, size))
+ return -EFAULT;
for (v = 0; v < inventory_items; v++){
inv = &inventory [v];
- copy_to_user (user, inv, sizeof (inventory_t));
+ if (copy_to_user (user, inv, sizeof (inventory_t)))
+ return -EFAULT;
user++;
}
return inventory_items * sizeof (inventory_t);
diff -urN linux/arch/mips/kernel/irixioctl.c linux/arch/mips/kernel/irixioctl.c
--- linux/arch/mips/kernel/irixioctl.c 2004/03/11 16:46:43 1.12
+++ linux/arch/mips/kernel/irixioctl.c 2005/03/17 21:50:49 1.13
@@ -58,7 +58,7 @@
{
struct tty_struct *tp, *rtp;
mm_segment_t old_fs;
- int error = 0;
+ int i, error = 0;
#ifdef DEBUG_IOCTLS
printk("[%s:%d] irix_ioctl(%d, ", current->comm, current->pid, fd);
@@ -73,12 +73,13 @@
case 0x0000540d: {
struct termios kt;
- struct irix_termios *it = (struct irix_termios *) arg;
+ struct irix_termios __user *it =
+ (struct irix_termios __user *) arg;
#ifdef DEBUG_IOCTLS
printk("TCGETS, %08lx) ", arg);
#endif
- if(!access_ok(VERIFY_WRITE, it, sizeof(*it))) {
+ if (!access_ok(VERIFY_WRITE, it, sizeof(*it))) {
error = -EFAULT;
break;
}
@@ -87,13 +88,14 @@
set_fs(old_fs);
if (error)
break;
- __put_user(kt.c_iflag, &it->c_iflag);
- __put_user(kt.c_oflag, &it->c_oflag);
- __put_user(kt.c_cflag, &it->c_cflag);
- __put_user(kt.c_lflag, &it->c_lflag);
- for(error = 0; error < NCCS; error++)
- __put_user(kt.c_cc[error], &it->c_cc[error]);
- error = 0;
+
+ error = __put_user(kt.c_iflag, &it->c_iflag);
+ error |= __put_user(kt.c_oflag, &it->c_oflag);
+ error |= __put_user(kt.c_cflag, &it->c_cflag);
+ error |= __put_user(kt.c_lflag, &it->c_lflag);
+
+ for (i = 0; i < NCCS; i++)
+ error |= __put_user(kt.c_cc[i], &it->c_cc[i]);
break;
}
@@ -111,14 +113,19 @@
old_fs = get_fs(); set_fs(get_ds());
error = sys_ioctl(fd, TCGETS, (unsigned long) &kt);
set_fs(old_fs);
- if(error)
+ if (error)
+ break;
+
+ error = __get_user(kt.c_iflag, &it->c_iflag);
+ error |= __get_user(kt.c_oflag, &it->c_oflag);
+ error |= __get_user(kt.c_cflag, &it->c_cflag);
+ error |= __get_user(kt.c_lflag, &it->c_lflag);
+
+ for (i = 0; i < NCCS; i++)
+ error |= __get_user(kt.c_cc[i], &it->c_cc[i]);
+
+ if (error)
break;
- __get_user(kt.c_iflag, &it->c_iflag);
- __get_user(kt.c_oflag, &it->c_oflag);
- __get_user(kt.c_cflag, &it->c_cflag);
- __get_user(kt.c_lflag, &it->c_lflag);
- for(error = 0; error < NCCS; error++)
- __get_user(kt.c_cc[error], &it->c_cc[error]);
old_fs = get_fs(); set_fs(get_ds());
error = sys_ioctl(fd, TCSETS, (unsigned long) &kt);
set_fs(old_fs);
@@ -152,7 +159,7 @@
#ifdef DEBUG_IOCTLS
printk("rtp->session=%d ", rtp->session);
#endif
- error = put_user(rtp->session, (unsigned long *) arg);
+ error = put_user(rtp->session, (unsigned long __user *) arg);
break;
case 0x746e:
@@ -194,50 +201,32 @@
break;
case 0x8004667e:
-#ifdef DEBUG_IOCTLS
- printk("FIONBIO, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
error = sys_ioctl(fd, FIONBIO, arg);
break;
case 0x80047476:
-#ifdef DEBUG_IOCTLS
- printk("TIOCSPGRP, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
error = sys_ioctl(fd, TIOCSPGRP, arg);
break;
case 0x8020690c:
-#ifdef DEBUG_IOCTLS
- printk("SIOCSIFADDR, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
error = sys_ioctl(fd, SIOCSIFADDR, arg);
break;
case 0x80206910:
-#ifdef DEBUG_IOCTLS
- printk("SIOCSIFFLAGS, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
error = sys_ioctl(fd, SIOCSIFFLAGS, arg);
break;
case 0xc0206911:
-#ifdef DEBUG_IOCTLS
- printk("SIOCGIFFLAGS, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
error = sys_ioctl(fd, SIOCGIFFLAGS, arg);
break;
case 0xc020691b:
-#ifdef DEBUG_IOCTLS
- printk("SIOCGIFMETRIC, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
error = sys_ioctl(fd, SIOCGIFMETRIC, arg);
break;
default: {
#ifdef DEBUG_MISSING_IOCTL
- char *msg = "Unimplemented IOCTL cmd tell linux@engr.sgi.com\n";
+ char *msg = "Unimplemented IOCTL cmd tell
linux-mips@linux-mips.org\n";
#ifdef DEBUG_IOCTLS
printk("UNIMP_IOCTL, %08lx)\n", arg);
diff -urN linux/arch/mips/kernel/irixsig.c linux/arch/mips/kernel/irixsig.c
--- linux/arch/mips/kernel/irixsig.c 2005/02/07 02:54:34 1.46
+++ linux/arch/mips/kernel/irixsig.c 2005/03/17 21:50:49 1.47
@@ -79,33 +79,36 @@
static void setup_irix_frame(struct k_sigaction *ka, struct pt_regs *regs,
int signr, sigset_t *oldmask)
{
+ struct sigctx_irix5 __user *ctx;
unsigned long sp;
- struct sigctx_irix5 *ctx;
- int i;
+ int error, i;
sp = regs->regs[29];
sp -= sizeof(struct sigctx_irix5);
sp &= ~(0xf);
- ctx = (struct sigctx_irix5 *) sp;
+ ctx = (struct sigctx_irix5 __user *) sp;
if (!access_ok(VERIFY_WRITE, ctx, sizeof(*ctx)))
goto segv_and_exit;
- __put_user(0, &ctx->weird_fpu_thing);
- __put_user(~(0x00000001), &ctx->rmask);
- __put_user(0, &ctx->regs[0]);
+ error = __put_user(0, &ctx->weird_fpu_thing);
+ error |= __put_user(~(0x00000001), &ctx->rmask);
+ error |= __put_user(0, &ctx->regs[0]);
for(i = 1; i < 32; i++)
- __put_user((u64) regs->regs[i], &ctx->regs[i]);
+ error |= __put_user((u64) regs->regs[i], &ctx->regs[i]);
- __put_user((u64) regs->hi, &ctx->hi);
- __put_user((u64) regs->lo, &ctx->lo);
- __put_user((u64) regs->cp0_epc, &ctx->pc);
- __put_user(!!used_math(), &ctx->usedfp);
- __put_user((u64) regs->cp0_cause, &ctx->cp0_cause);
- __put_user((u64) regs->cp0_badvaddr, &ctx->cp0_badvaddr);
+ error |= __put_user((u64) regs->hi, &ctx->hi);
+ error |= __put_user((u64) regs->lo, &ctx->lo);
+ error |= __put_user((u64) regs->cp0_epc, &ctx->pc);
+ error |= __put_user(!!used_math(), &ctx->usedfp);
+ error |= __put_user((u64) regs->cp0_cause, &ctx->cp0_cause);
+ error |= __put_user((u64) regs->cp0_badvaddr, &ctx->cp0_badvaddr);
- __put_user(0, &ctx->sstk_flags); /* XXX sigstack unimp... todo... */
+ error |= __put_user(0, &ctx->sstk_flags); /* XXX sigstack unimp...
todo... */
- __copy_to_user(&ctx->sigset, oldmask, sizeof(irix_sigset_t));
+ error |= __copy_to_user(&ctx->sigset, oldmask, sizeof(irix_sigset_t)) ?
-EFAULT : 0;
+
+ if (error)
+ goto segv_and_exit;
#ifdef DEBUG_SIG
dump_irix5_sigctx(ctx);
@@ -209,10 +212,11 @@
asmlinkage void
irix_sigreturn(struct pt_regs *regs)
{
- struct sigctx_irix5 *context, *magic;
+ struct sigctx_irix5 __user *context, *magic;
unsigned long umask, mask;
u64 *fregs;
- int sig, i, base = 0;
+ u32 usedfp;
+ int error, sig, i, base = 0;
sigset_t blocked;
/* Always make any pending restarted system calls return -EINTR */
@@ -221,8 +225,8 @@
if (regs->regs[2] == 1000)
base = 1;
- context = (struct sigctx_irix5 *) regs->regs[base + 4];
- magic = (struct sigctx_irix5 *) regs->regs[base + 5];
+ context = (struct sigctx_irix5 __user *) regs->regs[base + 4];
+ magic = (struct sigctx_irix5 __user *) regs->regs[base + 5];
sig = (int) regs->regs[base + 6];
#ifdef DEBUG_SIG
printk("[%s:%d] IRIX sigreturn(scp[%p],ucp[%p],sig[%d])\n",
@@ -237,25 +241,31 @@
dump_irix5_sigctx(context);
#endif
- __get_user(regs->cp0_epc, &context->pc);
- umask = context->rmask; mask = 2;
+ error = __get_user(regs->cp0_epc, &context->pc);
+ error |= __get_user(umask, &context->rmask);
+
+ mask = 2;
for (i = 1; i < 32; i++, mask <<= 1) {
- if(umask & mask)
- __get_user(regs->regs[i], &context->regs[i]);
+ if (umask & mask)
+ error |= __get_user(regs->regs[i], &context->regs[i]);
}
- __get_user(regs->hi, &context->hi);
- __get_user(regs->lo, &context->lo);
+ error |= __get_user(regs->hi, &context->hi);
+ error |= __get_user(regs->lo, &context->lo);
- if ((umask & 1) && context->usedfp) {
+ error |= __get_user(usedfp, &context->usedfp);
+ if ((umask & 1) && usedfp) {
fregs = (u64 *) ¤t->thread.fpu;
+
for(i = 0; i < 32; i++)
- fregs[i] = (u64) context->fpregs[i];
- __get_user(current->thread.fpu.hard.fcr31, &context->fpcsr);
+ error |= __get_user(fregs[i], &context->fpregs[i]);
+ error |= __get_user(current->thread.fpu.hard.fcr31,
&context->fpcsr);
}
/* XXX do sigstack crapola here... XXX */
- if (__copy_from_user(&blocked, &context->sigset, sizeof(blocked)))
+ error |= __copy_from_user(&blocked, &context->sigset, sizeof(blocked))
? -EFAULT : 0;
+
+ if (error)
goto badframe;
sigdelsetmask(&blocked, ~_BLOCKABLE);
@@ -297,8 +307,8 @@
#endif
asmlinkage int
-irix_sigaction(int sig, const struct sigaction *act,
- struct sigaction *oact, void *trampoline)
+irix_sigaction(int sig, const struct sigaction __user *act,
+ struct sigaction __user *oact, void __user *trampoline)
{
struct k_sigaction new_ka, old_ka;
int ret;
@@ -312,12 +322,16 @@
#endif
if (act) {
sigset_t mask;
- if (verify_area(VERIFY_READ, act, sizeof(*act)) ||
- __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
- __get_user(new_ka.sa.sa_flags, &act->sa_flags))
+ int err;
+
+ if (!access_ok(VERIFY_READ, act, sizeof(*act)))
return -EFAULT;
+ err = __get_user(new_ka.sa.sa_handler, &act->sa_handler);
+ err |= __get_user(new_ka.sa.sa_flags, &act->sa_flags);
- __copy_from_user(&mask, &act->sa_mask, sizeof(sigset_t));
+ err |= __copy_from_user(&mask, &act->sa_mask, sizeof(sigset_t))
? -EFAULT : 0;
+ if (err)
+ return err;
/*
* Hmmm... methinks IRIX libc always passes a valid trampoline
@@ -331,32 +345,37 @@
ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
if (!ret && oact) {
- if (verify_area(VERIFY_WRITE, oact, sizeof(*oact)) ||
- __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
- __put_user(old_ka.sa.sa_flags, &oact->sa_flags))
+ int err;
+
+ if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)))
+ return -EFAULT;
+
+ err = __put_user(old_ka.sa.sa_handler, &oact->sa_handler);
+ err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
+ err |= __copy_to_user(&oact->sa_mask, &old_ka.sa.sa_mask,
+ sizeof(sigset_t)) ? -EFAULT : 0;
+ if (err)
return -EFAULT;
- __copy_to_user(&old_ka.sa.sa_mask, &oact->sa_mask,
- sizeof(sigset_t));
}
return ret;
}
-asmlinkage int irix_sigpending(irix_sigset_t *set)
+asmlinkage int irix_sigpending(irix_sigset_t __user *set)
{
return do_sigpending(set, sizeof(*set));
}
-asmlinkage int irix_sigprocmask(int how, irix_sigset_t *new, irix_sigset_t
*old)
+asmlinkage int irix_sigprocmask(int how, irix_sigset_t __user *new,
+ irix_sigset_t __user *old)
{
sigset_t oldbits, newbits;
- int error;
if (new) {
- error = verify_area(VERIFY_READ, new, sizeof(*new));
- if (error)
- return error;
- __copy_from_user(&newbits, new, sizeof(unsigned long)*4);
+ if (!access_ok(VERIFY_READ, new, sizeof(*new)))
+ return -EFAULT;
+ if (__copy_from_user(&newbits, new, sizeof(unsigned long)*4))
+ return -EFAULT;
sigdelsetmask(&newbits, ~_BLOCKABLE);
spin_lock_irq(¤t->sighand->siglock);
@@ -384,21 +403,19 @@
recalc_sigpending();
spin_unlock_irq(¤t->sighand->siglock);
}
- if(old) {
- error = verify_area(VERIFY_WRITE, old, sizeof(*old));
- if(error)
- return error;
- __copy_to_user(old, ¤t->blocked, sizeof(unsigned long)*4);
- }
+ if (old)
+ return copy_to_user(old, ¤t->blocked,
+ sizeof(unsigned long)*4) ? -EFAULT : 0;
return 0;
}
asmlinkage int irix_sigsuspend(struct pt_regs *regs)
{
- sigset_t *uset, saveset, newset;
+ sigset_t saveset, newset;
+ sigset_t __user *uset;
- uset = (sigset_t *) regs->regs[4];
+ uset = (sigset_t __user *) regs->regs[4];
if (copy_from_user(&newset, uset, sizeof(sigset_t)))
return -EFAULT;
sigdelsetmask(&newset, ~_BLOCKABLE);
@@ -456,12 +473,13 @@
return HZ * sec + nsec;
}
-asmlinkage int irix_sigpoll_sys(unsigned long *set, struct irix5_siginfo *info,
- struct timespec *tp)
+asmlinkage int irix_sigpoll_sys(unsigned long __user *set,
+ struct irix5_siginfo __user *info, struct timespec __user *tp)
{
long expire = MAX_SCHEDULE_TIMEOUT;
sigset_t kset;
int i, sig, error, timeo = 0;
+ struct timespec ktp;
#ifdef DEBUG_SIG
printk("[%s:%d] irix_sigpoll_sys(%p,%p,%p)\n",
@@ -469,31 +487,25 @@
#endif
/* Must always specify the signal set. */
- if(!set)
+ if (!set)
return -EINVAL;
- error = verify_area(VERIFY_READ, set, sizeof(kset));
- if (error)
- goto out;
-
- __copy_from_user(&kset, set, sizeof(set));
- if (error)
- goto out;
+ if (copy_from_user(&kset, set, sizeof(set)))
+ return -EFAULT;
if (info && clear_user(info, sizeof(*info))) {
error = -EFAULT;
goto out;
}
- if(tp) {
- error = verify_area(VERIFY_READ, tp, sizeof(*tp));
- if(error)
- return error;
- if(!tp->tv_sec && !tp->tv_nsec) {
- error = -EINVAL;
- goto out;
- }
- expire = timespectojiffies(tp)+(tp->tv_sec||tp->tv_nsec);
+ if (tp) {
+ if (copy_from_user(&ktp, tp, sizeof(*tp)))
+ return -EFAULT;
+
+ if (!ktp.tv_sec && !ktp.tv_nsec)
+ return -EINVAL;
+
+ expire = timespectojiffies(&ktp) + (ktp.tv_sec || ktp.tv_nsec);
}
while(1) {
@@ -517,15 +529,14 @@
if (timeo)
return -EAGAIN;
- for(sig = 1; i <= 65 /* IRIX_NSIG */; sig++) {
+ for (sig = 1; i <= 65 /* IRIX_NSIG */; sig++) {
if (sigismember (&kset, sig))
continue;
if (sigismember (¤t->pending.signal, sig)) {
/* XXX need more than this... */
if (info)
- info->sig = sig;
- error = 0;
- goto out;
+ return copy_to_user(&info->sig, &sig,
sizeof(sig));
+ return 0;
}
}
@@ -551,8 +562,9 @@
#define W_MASK (W_EXITED | W_TRAPPED | W_STOPPED | W_CONT | W_NOHANG)
-asmlinkage int irix_waitsys(int type, int pid, struct irix5_siginfo *info,
- int options, struct rusage *ru)
+asmlinkage int irix_waitsys(int type, int pid,
+ struct irix5_siginfo __user *info, int options,
+ struct rusage __user *ru)
{
int flag, retval;
DECLARE_WAITQUEUE(wait, current);
@@ -560,26 +572,22 @@
struct task_struct *p;
struct list_head *_p;
- if (!info) {
- retval = -EINVAL;
- goto out;
- }
- retval = verify_area(VERIFY_WRITE, info, sizeof(*info));
- if(retval)
- goto out;
- if (ru) {
- retval = verify_area(VERIFY_WRITE, ru, sizeof(*ru));
- if(retval)
- goto out;
- }
- if (options & ~(W_MASK)) {
- retval = -EINVAL;
- goto out;
- }
- if (type != IRIX_P_PID && type != IRIX_P_PGID && type != IRIX_P_ALL) {
- retval = -EINVAL;
- goto out;
- }
+ if (!info)
+ return -EINVAL;
+
+ if (!access_ok(VERIFY_WRITE, info, sizeof(*info)))
+ return -EFAULT;
+
+ if (ru)
+ if (!access_ok(VERIFY_WRITE, ru, sizeof(*ru)))
+ return -EFAULT;
+
+ if (options & ~W_MASK)
+ return -EINVAL;
+
+ if (type != IRIX_P_PID && type != IRIX_P_PGID && type != IRIX_P_ALL)
+ return -EINVAL;
+
add_wait_queue(¤t->signal->wait_chldexit, &wait);
repeat:
flag = 0;
@@ -610,18 +618,20 @@
add_parent(p, p->parent);
write_unlock_irq(&tasklist_lock);
retval = ru ? getrusage(p, RUSAGE_BOTH, ru) : 0;
- if (!retval && ru) {
- retval |= __put_user(SIGCHLD, &info->sig);
- retval |= __put_user(0, &info->code);
- retval |= __put_user(p->pid,
&info->stuff.procinfo.pid);
- retval |= __put_user((p->exit_code >> 8) & 0xff,
-
&info->stuff.procinfo.procdata.child.status);
- retval |= __put_user(p->utime,
&info->stuff.procinfo.procdata.child.utime);
- retval |= __put_user(p->stime,
&info->stuff.procinfo.procdata.child.stime);
- }
- if (!retval) {
- p->exit_code = 0;
- }
+ if (retval)
+ goto end_waitsys;
+
+ retval = __put_user(SIGCHLD, &info->sig);
+ retval |= __put_user(0, &info->code);
+ retval |= __put_user(p->pid, &info->stuff.procinfo.pid);
+ retval |= __put_user((p->exit_code >> 8) & 0xff,
+ &info->stuff.procinfo.procdata.child.status);
+ retval |= __put_user(p->utime,
&info->stuff.procinfo.procdata.child.utime);
+ retval |= __put_user(p->stime,
&info->stuff.procinfo.procdata.child.stime);
+ if (retval)
+ goto end_waitsys;
+
+ p->exit_code = 0;
goto end_waitsys;
case EXIT_ZOMBIE:
@@ -629,16 +639,18 @@
current->signal->cstime += p->stime + p->signal->cstime;
if (ru != NULL)
getrusage(p, RUSAGE_BOTH, ru);
- __put_user(SIGCHLD, &info->sig);
- __put_user(1, &info->code); /* CLD_EXITED */
- __put_user(p->pid, &info->stuff.procinfo.pid);
- __put_user((p->exit_code >> 8) & 0xff,
+ retval = __put_user(SIGCHLD, &info->sig);
+ retval |= __put_user(1, &info->code); /*
CLD_EXITED */
+ retval |= __put_user(p->pid, &info->stuff.procinfo.pid);
+ retval |= __put_user((p->exit_code >> 8) & 0xff,
&info->stuff.procinfo.procdata.child.status);
- __put_user(p->utime,
+ retval |= __put_user(p->utime,
&info->stuff.procinfo.procdata.child.utime);
- __put_user(p->stime,
+ retval |= __put_user(p->stime,
&info->stuff.procinfo.procdata.child.stime);
- retval = 0;
+ if (retval)
+ return retval;
+
if (p->real_parent != p->parent) {
write_lock_irq(&tasklist_lock);
remove_parent(p);
@@ -671,7 +683,6 @@
current->state = TASK_RUNNING;
remove_wait_queue(¤t->signal->wait_chldexit, &wait);
-out:
return retval;
}
@@ -691,174 +702,169 @@
asmlinkage int irix_getcontext(struct pt_regs *regs)
{
int error, i, base = 0;
- struct irix5_context *ctx;
+ struct irix5_context __user *ctx;
unsigned long flags;
if (regs->regs[2] == 1000)
base = 1;
- ctx = (struct irix5_context *) regs->regs[base + 4];
+ ctx = (struct irix5_context __user *) regs->regs[base + 4];
#ifdef DEBUG_SIG
printk("[%s:%d] irix_getcontext(%p)\n",
current->comm, current->pid, ctx);
#endif
- error = verify_area(VERIFY_WRITE, ctx, sizeof(*ctx));
- if(error)
- goto out;
- __put_user(current->thread.irix_oldctx, &ctx->link);
+ if (!access_ok(VERIFY_WRITE, ctx, sizeof(*ctx)));
+ return -EFAULT;
+
+ error = __put_user(current->thread.irix_oldctx, &ctx->link);
- __copy_to_user(&ctx->sigmask, ¤t->blocked, sizeof(irix_sigset_t));
+ error |= __copy_to_user(&ctx->sigmask, ¤t->blocked,
sizeof(irix_sigset_t)) ? -EFAULT : 0;
/* XXX Do sigstack stuff someday... */
- __put_user(0, &ctx->stack.sp);
- __put_user(0, &ctx->stack.size);
- __put_user(0, &ctx->stack.flags);
+ error |= __put_user(0, &ctx->stack.sp);
+ error |= __put_user(0, &ctx->stack.size);
+ error |= __put_user(0, &ctx->stack.flags);
- __put_user(0, &ctx->weird_graphics_thing);
- __put_user(0, &ctx->regs[0]);
+ error |= __put_user(0, &ctx->weird_graphics_thing);
+ error |= __put_user(0, &ctx->regs[0]);
for (i = 1; i < 32; i++)
- __put_user(regs->regs[i], &ctx->regs[i]);
- __put_user(regs->lo, &ctx->regs[32]);
- __put_user(regs->hi, &ctx->regs[33]);
- __put_user(regs->cp0_cause, &ctx->regs[34]);
- __put_user(regs->cp0_epc, &ctx->regs[35]);
+ error |= __put_user(regs->regs[i], &ctx->regs[i]);
+ error |= __put_user(regs->lo, &ctx->regs[32]);
+ error |= __put_user(regs->hi, &ctx->regs[33]);
+ error |= __put_user(regs->cp0_cause, &ctx->regs[34]);
+ error |= __put_user(regs->cp0_epc, &ctx->regs[35]);
flags = 0x0f;
- if(!used_math()) {
+ if (!used_math()) {
flags &= ~(0x08);
} else {
/* XXX wheee... */
printk("Wheee, no code for saving IRIX FPU context yet.\n");
}
- __put_user(flags, &ctx->flags);
- error = 0;
+ error |= __put_user(flags, &ctx->flags);
-out:
return error;
}
-asmlinkage unsigned long irix_setcontext(struct pt_regs *regs)
+asmlinkage void irix_setcontext(struct pt_regs *regs)
{
- int error, base = 0;
- struct irix5_context *ctx;
+ struct irix5_context __user *ctx;
+ int err, base = 0;
+ u32 flags;
- if(regs->regs[2] == 1000)
+ if (regs->regs[2] == 1000)
base = 1;
- ctx = (struct irix5_context *) regs->regs[base + 4];
+ ctx = (struct irix5_context __user *) regs->regs[base + 4];
#ifdef DEBUG_SIG
printk("[%s:%d] irix_setcontext(%p)\n",
current->comm, current->pid, ctx);
#endif
- error = verify_area(VERIFY_READ, ctx, sizeof(*ctx));
- if (error)
- goto out;
+ if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx)))
+ goto segv_and_exit;
- if (ctx->flags & 0x02) {
+ err = __get_user(flags, &ctx->flags);
+ if (flags & 0x02) {
/* XXX sigstack garbage, todo... */
printk("Wheee, cannot do sigstack stuff in setcontext\n");
}
- if (ctx->flags & 0x04) {
+ if (flags & 0x04) {
int i;
/* XXX extra control block stuff... todo... */
- for(i = 1; i < 32; i++)
- regs->regs[i] = ctx->regs[i];
- regs->lo = ctx->regs[32];
- regs->hi = ctx->regs[33];
- regs->cp0_epc = ctx->regs[35];
+ for (i = 1; i < 32; i++)
+ err |= __get_user(regs->regs[i], &ctx->regs[i]);
+ err |= __get_user(regs->lo, &ctx->regs[32]);
+ err |= __get_user(regs->hi, &ctx->regs[33]);
+ err |= __get_user(regs->cp0_epc, &ctx->regs[35]);
}
- if (ctx->flags & 0x08) {
+ if (flags & 0x08)
/* XXX fpu context, blah... */
- printk("Wheee, cannot restore FPU context yet...\n");
- }
- current->thread.irix_oldctx = ctx->link;
- error = regs->regs[2];
+ printk(KERN_ERR "Wheee, cannot restore FPU context yet...\n");
-out:
- return error;
+ err |= __get_user(current->thread.irix_oldctx, &ctx->link);
+ if (err)
+ goto segv_and_exit;
+
+ /*
+ * Don't let your children do this ...
+ */
+ if (current_thread_info()->flags & TIF_SYSCALL_TRACE)
+ do_syscall_trace(regs, 1);
+ __asm__ __volatile__(
+ "move\t$29,%0\n\t"
+ "j\tsyscall_exit"
+ :/* no outputs */
+ :"r" (®s));
+ /* Unreached */
+
+segv_and_exit:
+ force_sigsegv(SIGSEGV, current);
}
-struct irix_sigstack { unsigned long sp; int status; };
+struct irix_sigstack {
+ unsigned long sp;
+ int status;
+};
-asmlinkage int irix_sigstack(struct irix_sigstack *new, struct irix_sigstack
*old)
+asmlinkage int irix_sigstack(struct irix_sigstack __user *new,
+ struct irix_sigstack __user *old)
{
- int error;
-
#ifdef DEBUG_SIG
printk("[%s:%d] irix_sigstack(%p,%p)\n",
current->comm, current->pid, new, old);
#endif
- if(new) {
- error = verify_area(VERIFY_READ, new, sizeof(*new));
- if(error)
- goto out;
+ if (new) {
+ if (!access_ok(VERIFY_READ, new, sizeof(*new)))
+ return -EFAULT;
}
- if(old) {
- error = verify_area(VERIFY_WRITE, old, sizeof(*old));
- if(error)
- goto out;
+ if (old) {
+ if (!access_ok(VERIFY_WRITE, old, sizeof(*old)))
+ return -EFAULT;
}
- error = 0;
-out:
- return error;
+ return 0;
}
struct irix_sigaltstack { unsigned long sp; int size; int status; };
-asmlinkage int irix_sigaltstack(struct irix_sigaltstack *new,
- struct irix_sigaltstack *old)
+asmlinkage int irix_sigaltstack(struct irix_sigaltstack __user *new,
+ struct irix_sigaltstack __user *old)
{
- int error;
-
#ifdef DEBUG_SIG
printk("[%s:%d] irix_sigaltstack(%p,%p)\n",
current->comm, current->pid, new, old);
#endif
- if (new) {
- error = verify_area(VERIFY_READ, new, sizeof(*new));
- if(error)
- goto out;
- }
+ if (new)
+ if (!access_ok(VERIFY_READ, new, sizeof(*new)))
+ return -EFAULT;
if (old) {
- error = verify_area(VERIFY_WRITE, old, sizeof(*old));
- if(error)
- goto out;
+ if (!access_ok(VERIFY_WRITE, old, sizeof(*old)))
+ return -EFAULT;
}
- error = 0;
-
-out:
- error = 0;
- return error;
+ return 0;
}
struct irix_procset {
int cmd, ltype, lid, rtype, rid;
};
-asmlinkage int irix_sigsendset(struct irix_procset *pset, int sig)
+asmlinkage int irix_sigsendset(struct irix_procset __user *pset, int sig)
{
- int error;
-
- error = verify_area(VERIFY_READ, pset, sizeof(*pset));
- if(error)
- goto out;
+ if (!access_ok(VERIFY_READ, pset, sizeof(*pset)))
+ return -EFAULT;
#ifdef DEBUG_SIG
printk("[%s:%d] irix_sigsendset([%d,%d,%d,%d,%d],%d)\n",
current->comm, current->pid,
pset->cmd, pset->ltype, pset->lid, pset->rtype, pset->rid,
sig);
#endif
- error = -EINVAL;
-
-out:
- return error;
+ return -EINVAL;
}
diff -urN linux/arch/mips/kernel/sysirix.c linux/arch/mips/kernel/sysirix.c
--- linux/arch/mips/kernel/sysirix.c 2005/03/01 03:51:33 1.69
+++ linux/arch/mips/kernel/sysirix.c 2005/03/17 21:50:49 1.70
@@ -233,7 +233,7 @@
#undef DEBUG_PROCGRPS
-extern unsigned long irix_mapelf(int fd, struct elf_phdr *user_phdrp, int cnt);
+extern unsigned long irix_mapelf(int fd, struct elf_phdr __user *user_phdrp,
int cnt);
extern int getrusage(struct task_struct *p, int who, struct rusage __user *ru);
extern char *prom_getenv(char *name);
extern long prom_setenv(char *name, char *value);
@@ -270,22 +270,19 @@
cmd = regs->regs[base + 4];
switch(cmd) {
case SGI_SYSID: {
- char *buf = (char *) regs->regs[base + 5];
+ char __user *buf = (char __user *) regs->regs[base + 5];
/* XXX Use ethernet addr.... */
- retval = clear_user(buf, 64);
+ retval = clear_user(buf, 64) ? -EFAULT : 0;
break;
}
#if 0
case SGI_RDNAME: {
int pid = (int) regs->regs[base + 5];
- char *buf = (char *) regs->regs[base + 6];
+ char __user *buf = (char *) regs->regs[base + 6];
struct task_struct *p;
char tcomm[sizeof(current->comm)];
- retval = verify_area(VERIFY_WRITE, buf, sizeof(tcomm));
- if (retval)
- break;
read_lock(&tasklist_lock);
p = find_task_by_pid(pid);
if (!p) {
@@ -297,33 +294,28 @@
read_unlock(&tasklist_lock);
/* XXX Need to check sizes. */
- copy_to_user(buf, tcomm, sizeof(tcomm));
- retval = 0;
+ retval = copy_to_user(buf, tcomm, sizeof(tcomm)) ? -EFAULT : 0;
break;
}
case SGI_GETNVRAM: {
- char *name = (char *) regs->regs[base+5];
- char *buf = (char *) regs->regs[base+6];
+ char __user *name = (char __user *) regs->regs[base+5];
+ char __user *buf = (char __user *) regs->regs[base+6];
char *value;
return -EINVAL; /* til I fix it */
- retval = verify_area(VERIFY_WRITE, buf, 128);
- if (retval)
- break;
value = prom_getenv(name); /* PROM lock? */
if (!value) {
retval = -EINVAL;
break;
}
/* Do I strlen() for the length? */
- copy_to_user(buf, value, 128);
- retval = 0;
+ retval = copy_to_user(buf, value, 128) ? -EFAULT : 0;
break;
}
case SGI_SETNVRAM: {
- char *name = (char *) regs->regs[base+5];
- char *value = (char *) regs->regs[base+6];
+ char __user *name = (char __user *) regs->regs[base+5];
+ char __user *value = (char __user *) regs->regs[base+6];
return -EINVAL; /* til I fix it */
retval = prom_setenv(name, value);
/* XXX make sure retval conforms to syssgi(2) */
@@ -399,16 +391,16 @@
case SGI_SETGROUPS:
retval = sys_setgroups((int) regs->regs[base + 5],
- (gid_t *) regs->regs[base + 6]);
+ (gid_t __user *) regs->regs[base + 6]);
break;
case SGI_GETGROUPS:
retval = sys_getgroups((int) regs->regs[base + 5],
- (gid_t *) regs->regs[base + 6]);
+ (gid_t __user *) regs->regs[base + 6]);
break;
case SGI_RUSAGE: {
- struct rusage *ru = (struct rusage *) regs->regs[base + 6];
+ struct rusage __user *ru = (struct rusage __user *)
regs->regs[base + 6];
switch((int) regs->regs[base + 5]) {
case 0:
@@ -445,7 +437,7 @@
case SGI_ELFMAP:
retval = irix_mapelf((int) regs->regs[base + 5],
- (struct elf_phdr *) regs->regs[base + 6],
+ (struct elf_phdr __user *) regs->regs[base
+ 6],
(int) regs->regs[base + 7]);
break;
@@ -460,17 +452,13 @@
case SGI_PHYSP: {
unsigned long addr = regs->regs[base + 5];
- int *pageno = (int *) (regs->regs[base + 6]);
+ int __user *pageno = (int __user *) (regs->regs[base + 6]);
struct mm_struct *mm = current->mm;
pgd_t *pgdp;
pud_t *pudp;
pmd_t *pmdp;
pte_t *ptep;
- retval = verify_area(VERIFY_WRITE, pageno, sizeof(int));
- if (retval)
- return retval;
-
down_read(&mm->mmap_sem);
pgdp = pgd_offset(mm, addr);
pudp = pud_offset(pgdp, addr);
@@ -481,6 +469,7 @@
pte_t pte = *ptep;
if (pte_val(pte) & (_PAGE_VALID | _PAGE_PRESENT)) {
+ /* b0rked on 64-bit */
retval = put_user((pte_val(pte) & PAGE_MASK) >>
PAGE_SHIFT, pageno);
}
@@ -491,7 +480,7 @@
case SGI_INVENT: {
int arg1 = (int) regs->regs [base + 5];
- void *buffer = (void *) regs->regs [base + 6];
+ void __user *buffer = (void __user *) regs->regs [base + 6];
int count = (int) regs->regs [base + 7];
switch (arg1) {
@@ -695,8 +684,8 @@
}
/* XXX need more than this... */
-asmlinkage int irix_mount(char *dev_name, char *dir_name, unsigned long flags,
- char *type, void *data, int datalen)
+asmlinkage int irix_mount(char __user *dev_name, char __user *dir_name,
+ unsigned long flags, char __user *type, void __user *data, int datalen)
{
printk("[%s:%d] irix_mount(%p,%p,%08lx,%p,%p,%d)\n",
current->comm, current->pid,
@@ -711,8 +700,8 @@
char f_fname[6], f_fpack[6];
};
-asmlinkage int irix_statfs(const char *path, struct irix_statfs *buf,
- int len, int fs_type)
+asmlinkage int irix_statfs(const char __user *path,
+ struct irix_statfs __user *buf, int len, int fs_type)
{
struct nameidata nd;
struct kstatfs kbuf;
@@ -723,9 +712,11 @@
error = -EINVAL;
goto out;
}
- error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statfs));
- if (error)
+ if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statfs))) {
+ error = -EFAULT;
goto out;
+ }
+
error = user_path_walk(path, &nd);
if (error)
goto out;
@@ -734,18 +725,17 @@
if (error)
goto dput_and_out;
- __put_user(kbuf.f_type, &buf->f_type);
- __put_user(kbuf.f_bsize, &buf->f_bsize);
- __put_user(kbuf.f_frsize, &buf->f_frsize);
- __put_user(kbuf.f_blocks, &buf->f_blocks);
- __put_user(kbuf.f_bfree, &buf->f_bfree);
- __put_user(kbuf.f_files, &buf->f_files);
- __put_user(kbuf.f_ffree, &buf->f_ffree);
+ error = __put_user(kbuf.f_type, &buf->f_type);
+ error |= __put_user(kbuf.f_bsize, &buf->f_bsize);
+ error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+ error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+ error |= __put_user(kbuf.f_files, &buf->f_files);
+ error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
for (i = 0; i < 6; i++) {
- __put_user(0, &buf->f_fname[i]);
- __put_user(0, &buf->f_fpack[i]);
+ error |= __put_user(0, &buf->f_fname[i]);
+ error |= __put_user(0, &buf->f_fpack[i]);
}
- error = 0;
dput_and_out:
path_release(&nd);
@@ -753,15 +743,17 @@
return error;
}
-asmlinkage int irix_fstatfs(unsigned int fd, struct irix_statfs *buf)
+asmlinkage int irix_fstatfs(unsigned int fd, struct irix_statfs __user *buf)
{
struct kstatfs kbuf;
struct file *file;
int error, i;
- error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statfs));
- if (error)
+ if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statfs))) {
+ error = -EFAULT;
goto out;
+ }
+
if (!(file = fget(fd))) {
error = -EBADF;
goto out;
@@ -771,16 +763,17 @@
if (error)
goto out_f;
- __put_user(kbuf.f_type, &buf->f_type);
- __put_user(kbuf.f_bsize, &buf->f_bsize);
- __put_user(kbuf.f_frsize, &buf->f_frsize);
- __put_user(kbuf.f_blocks, &buf->f_blocks);
- __put_user(kbuf.f_bfree, &buf->f_bfree);
- __put_user(kbuf.f_files, &buf->f_files);
- __put_user(kbuf.f_ffree, &buf->f_ffree);
- for(i = 0; i < 6; i++) {
- __put_user(0, &buf->f_fname[i]);
- __put_user(0, &buf->f_fpack[i]);
+ error = __put_user(kbuf.f_type, &buf->f_type);
+ error |= __put_user(kbuf.f_bsize, &buf->f_bsize);
+ error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+ error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+ error |= __put_user(kbuf.f_files, &buf->f_files);
+ error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+
+ for (i = 0; i < 6; i++) {
+ error |= __put_user(0, &buf->f_fname[i]);
+ error |= __put_user(0, &buf->f_fpack[i]);
}
out_f:
@@ -807,15 +800,15 @@
return error;
}
-asmlinkage int irix_times(struct tms * tbuf)
+asmlinkage int irix_times(struct tms __user *tbuf)
{
int err = 0;
if (tbuf) {
- err = verify_area(VERIFY_WRITE,tbuf,sizeof *tbuf);
- if (err)
- return err;
- err |= __put_user(current->utime, &tbuf->tms_utime);
+ if (!access_ok(VERIFY_WRITE,tbuf,sizeof *tbuf))
+ return -EFAULT;
+
+ err = __put_user(current->utime, &tbuf->tms_utime);
err |= __put_user(current->stime, &tbuf->tms_stime);
err |= __put_user(current->signal->cutime, &tbuf->tms_cutime);
err |= __put_user(current->signal->cstime, &tbuf->tms_cstime);
@@ -831,13 +824,13 @@
if(regs->regs[2] == 1000)
base = 1;
- filename = getname((char *) (long)regs->regs[base + 4]);
+ filename = getname((char __user *) (long)regs->regs[base + 4]);
error = PTR_ERR(filename);
if (IS_ERR(filename))
return error;
- error = do_execve(filename, (char **) (long)regs->regs[base + 5],
- (char **) 0, regs);
+ error = do_execve(filename, (char __user * __user *)
(long)regs->regs[base + 5],
+ NULL, regs);
putname(filename);
return error;
@@ -850,12 +843,12 @@
if (regs->regs[2] == 1000)
base = 1;
- filename = getname((char *) (long)regs->regs[base + 4]);
+ filename = getname((char __user *) (long)regs->regs[base + 4]);
error = PTR_ERR(filename);
if (IS_ERR(filename))
return error;
- error = do_execve(filename, (char **) (long)regs->regs[base + 5],
- (char **) (long)regs->regs[base + 6], regs);
+ error = do_execve(filename, (char __user * __user *)
(long)regs->regs[base + 5],
+ (char __user * __user *) (long)regs->regs[base + 6],
regs);
putname(filename);
return error;
@@ -911,23 +904,17 @@
return sys_socket(family, type, protocol);
}
-asmlinkage int irix_getdomainname(char *name, int len)
+asmlinkage int irix_getdomainname(char __user *name, int len)
{
- int error;
-
- error = verify_area(VERIFY_WRITE, name, len);
- if (error)
- return error;
+ int err;
down_read(&uts_sem);
if (len > __NEW_UTS_LEN)
len = __NEW_UTS_LEN;
- error = 0;
- if (copy_to_user(name, system_utsname.domainname, len))
- error = -EFAULT;
+ err = copy_to_user(name, system_utsname.domainname, len) ? -EFAULT : 0;
up_read(&uts_sem);
- return error;
+ return err;
}
asmlinkage unsigned long irix_getpagesize(void)
@@ -943,12 +930,13 @@
case 0:
return sys_msgget((key_t) arg0, (int) arg1);
case 1:
- return sys_msgctl((int) arg0, (int) arg1, (struct msqid_ds
*)arg2);
+ return sys_msgctl((int) arg0, (int) arg1,
+ (struct msqid_ds __user *)arg2);
case 2:
- return sys_msgrcv((int) arg0, (struct msgbuf *) arg1,
+ return sys_msgrcv((int) arg0, (struct msgbuf __user *) arg1,
(size_t) arg2, (long) arg3, (int) arg4);
case 3:
- return sys_msgsnd((int) arg0, (struct msgbuf *) arg1,
+ return sys_msgsnd((int) arg0, (struct msgbuf __user *) arg1,
(size_t) arg2, (int) arg3);
default:
return -EINVAL;
@@ -960,12 +948,13 @@
{
switch (opcode) {
case 0:
- return do_shmat((int) arg0, (char *)arg1, (int) arg2,
+ return do_shmat((int) arg0, (char __user *) arg1, (int) arg2,
(unsigned long *) arg3);
case 1:
- return sys_shmctl((int)arg0, (int)arg1, (struct shmid_ds
*)arg2);
+ return sys_shmctl((int)arg0, (int)arg1,
+ (struct shmid_ds __user *)arg2);
case 2:
- return sys_shmdt((char *)arg0);
+ return sys_shmdt((char __user *)arg0);
case 3:
return sys_shmget((key_t) arg0, (int) arg1, (int) arg2);
default:
@@ -983,7 +972,7 @@
case 1:
return sys_semget((key_t) arg0, (int) arg1, (int) arg2);
case 2:
- return sys_semop((int) arg0, (struct sembuf *)arg1,
+ return sys_semop((int) arg0, (struct sembuf __user *)arg1,
(unsigned int) arg2);
default:
return -EINVAL;
@@ -1001,15 +990,16 @@
lock_kernel();
retval = fn(file, offset, origin);
unlock_kernel();
+
return retval;
}
asmlinkage int irix_lseek64(int fd, int _unused, int offhi, int offlow,
int origin)
{
- int retval;
struct file * file;
loff_t offset;
+ int retval;
retval = -EBADF;
file = fget(fd);
@@ -1035,18 +1025,18 @@
return 0;
}
-asmlinkage int irix_sgikopt(char *istring, char *ostring, int len)
+asmlinkage int irix_sgikopt(char __user *istring, char __user *ostring, int
len)
{
return -EINVAL;
}
-asmlinkage int irix_gettimeofday(struct timeval *tv)
+asmlinkage int irix_gettimeofday(struct timeval __user *tv)
{
time_t sec;
long nsec, seq;
int err;
- if (verify_area(VERIFY_WRITE, tv, sizeof(struct timeval)))
+ if (!access_ok(VERIFY_WRITE, tv, sizeof(struct timeval)))
return -EFAULT;
do {
@@ -1081,7 +1071,7 @@
if (max_size > file->f_dentry->d_inode->i_size) {
old_pos = sys_lseek (fd, max_size - 1, 0);
- sys_write (fd, "", 1);
+ sys_write (fd, (void __user *) "", 1);
sys_lseek (fd, old_pos, 0);
}
}
@@ -1106,7 +1096,7 @@
return -EINVAL;
}
-asmlinkage int irix_pagelock(char *addr, int len, int op)
+asmlinkage int irix_pagelock(char __user *addr, int len, int op)
{
printk("[%s:%d] Wheee.. irix_pagelock(%p,%d,%d)\n",
current->comm, current->pid, addr, len, op);
@@ -1146,7 +1136,7 @@
return error;
}
-asmlinkage int irix_systeminfo(int cmd, char *buf, int cnt)
+asmlinkage int irix_systeminfo(int cmd, char __user *buf, int cnt)
{
printk("[%s:%d] Wheee.. irix_systeminfo(%d,%p,%d)\n",
current->comm, current->pid, cmd, buf, cnt);
@@ -1162,14 +1152,14 @@
char _unused3[257], _unused4[257], _unused5[257];
};
-asmlinkage int irix_uname(struct iuname *buf)
+asmlinkage int irix_uname(struct iuname __user *buf)
{
down_read(&uts_sem);
- if (copy_to_user(system_utsname.sysname, buf->sysname, 65)
- || copy_to_user(system_utsname.nodename, buf->nodename, 65)
- || copy_to_user(system_utsname.release, buf->release, 65)
- || copy_to_user(system_utsname.version, buf->version, 65)
- || copy_to_user(system_utsname.machine, buf->machine, 65)) {
+ if (copy_from_user(system_utsname.sysname, buf->sysname, 65)
+ || copy_from_user(system_utsname.nodename, buf->nodename, 65)
+ || copy_from_user(system_utsname.release, buf->release, 65)
+ || copy_from_user(system_utsname.version, buf->version, 65)
+ || copy_from_user(system_utsname.machine, buf->machine, 65)) {
return -EFAULT;
}
up_read(&uts_sem);
@@ -1179,7 +1169,7 @@
#undef DEBUG_XSTAT
-static int irix_xstat32_xlate(struct kstat *stat, void *ubuf)
+static int irix_xstat32_xlate(struct kstat *stat, void __user *ubuf)
{
struct xstat32 {
u32 st_dev, st_pad1[3], st_ino, st_mode, st_nlink, st_uid,
st_gid;
@@ -1219,7 +1209,7 @@
return copy_to_user(ubuf, &ub, sizeof(ub)) ? -EFAULT : 0;
}
-static int irix_xstat64_xlate(struct kstat *stat, void *ubuf)
+static int irix_xstat64_xlate(struct kstat *stat, void __user *ubuf)
{
struct xstat64 {
u32 st_dev; s32 st_pad1[3];
@@ -1269,7 +1259,7 @@
return copy_to_user(ubuf, &ks, sizeof(ks)) ? -EFAULT : 0;
}
-asmlinkage int irix_xstat(int version, char *filename, struct stat *statbuf)
+asmlinkage int irix_xstat(int version, char __user *filename, struct stat
__user *statbuf)
{
int retval;
struct kstat stat;
@@ -1295,7 +1285,7 @@
return retval;
}
-asmlinkage int irix_lxstat(int version, char *filename, struct stat *statbuf)
+asmlinkage int irix_lxstat(int version, char __user *filename, struct stat
__user *statbuf)
{
int error;
struct kstat stat;
@@ -1322,7 +1312,7 @@
return error;
}
-asmlinkage int irix_fxstat(int version, int fd, struct stat *statbuf)
+asmlinkage int irix_fxstat(int version, int fd, struct stat __user *statbuf)
{
int error;
struct kstat stat;
@@ -1348,7 +1338,7 @@
return error;
}
-asmlinkage int irix_xmknod(int ver, char *filename, int mode, unsigned dev)
+asmlinkage int irix_xmknod(int ver, char __user *filename, int mode, unsigned
dev)
{
int retval;
printk("[%s:%d] Wheee.. irix_xmknod(%d,%s,%x,%x)\n",
@@ -1368,7 +1358,7 @@
return retval;
}
-asmlinkage int irix_swapctl(int cmd, char *arg)
+asmlinkage int irix_swapctl(int cmd, char __user *arg)
{
printk("[%s:%d] Wheee.. irix_swapctl(%d,%p)\n",
current->comm, current->pid, cmd, arg);
@@ -1384,7 +1374,7 @@
char f_fstr[32]; u32 f_filler[16];
};
-asmlinkage int irix_statvfs(char *fname, struct irix_statvfs *buf)
+asmlinkage int irix_statvfs(char __user *fname, struct irix_statvfs __user
*buf)
{
struct nameidata nd;
struct kstatfs kbuf;
@@ -1392,9 +1382,9 @@
printk("[%s:%d] Wheee.. irix_statvfs(%s,%p)\n",
current->comm, current->pid, fname, buf);
- error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs));
- if (error)
- goto out;
+ if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs)))
+ return -EFAULT;
+
error = user_path_walk(fname, &nd);
if (error)
goto out;
@@ -1402,27 +1392,25 @@
if (error)
goto dput_and_out;
- __put_user(kbuf.f_bsize, &buf->f_bsize);
- __put_user(kbuf.f_frsize, &buf->f_frsize);
- __put_user(kbuf.f_blocks, &buf->f_blocks);
- __put_user(kbuf.f_bfree, &buf->f_bfree);
- __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety hack... */
- __put_user(kbuf.f_files, &buf->f_files);
- __put_user(kbuf.f_ffree, &buf->f_ffree);
- __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety hack... */
+ error |= __put_user(kbuf.f_bsize, &buf->f_bsize);
+ error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+ error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety
hack... */
+ error |= __put_user(kbuf.f_files, &buf->f_files);
+ error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+ error |= __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety
hack... */
#ifdef __MIPSEB__
- __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
#else
- __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
#endif
for (i = 0; i < 16; i++)
- __put_user(0, &buf->f_basetype[i]);
- __put_user(0, &buf->f_flag);
- __put_user(kbuf.f_namelen, &buf->f_namemax);
+ error |= __put_user(0, &buf->f_basetype[i]);
+ error |= __put_user(0, &buf->f_flag);
+ error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
for (i = 0; i < 32; i++)
- __put_user(0, &buf->f_fstr[i]);
-
- error = 0;
+ error |= __put_user(0, &buf->f_fstr[i]);
dput_and_out:
path_release(&nd);
@@ -1430,7 +1418,7 @@
return error;
}
-asmlinkage int irix_fstatvfs(int fd, struct irix_statvfs *buf)
+asmlinkage int irix_fstatvfs(int fd, struct irix_statvfs __user *buf)
{
struct kstatfs kbuf;
struct file *file;
@@ -1439,9 +1427,9 @@
printk("[%s:%d] Wheee.. irix_fstatvfs(%d,%p)\n",
current->comm, current->pid, fd, buf);
- error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs));
- if (error)
- goto out;
+ if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs)))
+ return -EFAULT;
+
if (!(file = fget(fd))) {
error = -EBADF;
goto out;
@@ -1450,24 +1438,24 @@
if (error)
goto out_f;
- __put_user(kbuf.f_bsize, &buf->f_bsize);
- __put_user(kbuf.f_frsize, &buf->f_frsize);
- __put_user(kbuf.f_blocks, &buf->f_blocks);
- __put_user(kbuf.f_bfree, &buf->f_bfree);
- __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety hack... */
- __put_user(kbuf.f_files, &buf->f_files);
- __put_user(kbuf.f_ffree, &buf->f_ffree);
- __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety hack... */
+ error = __put_user(kbuf.f_bsize, &buf->f_bsize);
+ error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+ error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety
hack... */
+ error |= __put_user(kbuf.f_files, &buf->f_files);
+ error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+ error |= __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety
hack... */
#ifdef __MIPSEB__
- __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
#else
- __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
#endif
for(i = 0; i < 16; i++)
- __put_user(0, &buf->f_basetype[i]);
- __put_user(0, &buf->f_flag);
- __put_user(kbuf.f_namelen, &buf->f_namemax);
- __clear_user(&buf->f_fstr, sizeof(buf->f_fstr));
+ error |= __put_user(0, &buf->f_basetype[i]);
+ error |= __put_user(0, &buf->f_flag);
+ error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
+ error |= __clear_user(&buf->f_fstr, sizeof(buf->f_fstr)) ? -EFAULT : 0;
out_f:
fput(file);
@@ -1491,7 +1479,7 @@
return -EINVAL;
}
-asmlinkage int irix_truncate64(char *name, int pad, int size1, int size2)
+asmlinkage int irix_truncate64(char __user *name, int pad, int size1, int
size2)
{
int retval;
@@ -1524,6 +1512,7 @@
int len, prot, flags, fd, off1, off2, error, base = 0;
unsigned long addr, pgoff, *sp;
struct file *file = NULL;
+ int err;
if (regs->regs[2] == 1000)
base = 1;
@@ -1533,34 +1522,31 @@
prot = regs->regs[base + 6];
if (!base) {
flags = regs->regs[base + 7];
- error = verify_area(VERIFY_READ, sp, (4 * sizeof(unsigned
long)));
- if(error)
- goto out;
+ if (!access_ok(VERIFY_READ, sp, (4 * sizeof(unsigned long))))
+ return -EFAULT;
fd = sp[0];
- __get_user(off1, &sp[1]);
- __get_user(off2, &sp[2]);
+ err = __get_user(off1, &sp[1]);
+ err |= __get_user(off2, &sp[2]);
} else {
- error = verify_area(VERIFY_READ, sp, (5 * sizeof(unsigned
long)));
- if(error)
- goto out;
- __get_user(flags, &sp[0]);
- __get_user(fd, &sp[1]);
- __get_user(off1, &sp[2]);
- __get_user(off2, &sp[3]);
+ if (!access_ok(VERIFY_READ, sp, (5 * sizeof(unsigned long))))
+ return -EFAULT;
+ err = __get_user(flags, &sp[0]);
+ err |= __get_user(fd, &sp[1]);
+ err |= __get_user(off1, &sp[2]);
+ err |= __get_user(off2, &sp[3]);
}
- if (off1 & PAGE_MASK) {
- error = -EOVERFLOW;
- goto out;
- }
+ if (err)
+ return err;
+
+ if (off1 & PAGE_MASK)
+ return -EOVERFLOW;
pgoff = (off1 << (32 - PAGE_SHIFT)) | (off2 >> PAGE_SHIFT);
if (!(flags & MAP_ANONYMOUS)) {
- if (!(file = fget(fd))) {
- error = -EBADF;
- goto out;
- }
+ if (!(file = fget(fd)))
+ return -EBADF;
/* Ok, bad taste hack follows, try to think in something else
when reading this */
@@ -1570,7 +1556,7 @@
if (max_size > file->f_dentry->d_inode->i_size) {
old_pos = sys_lseek (fd, max_size - 1, 0);
- sys_write (fd, "", 1);
+ sys_write (fd, (void __user *) "", 1);
sys_lseek (fd, old_pos, 0);
}
}
@@ -1585,7 +1571,6 @@
if (file)
fput(file);
-out:
return error;
}
@@ -1597,7 +1582,7 @@
return -EINVAL;
}
-asmlinkage int irix_pread(int fd, char *buf, int cnt, int off64,
+asmlinkage int irix_pread(int fd, char __user *buf, int cnt, int off64,
int off1, int off2)
{
printk("[%s:%d] Wheee.. irix_pread(%d,%p,%d,%d,%d,%d)\n",
@@ -1606,7 +1591,7 @@
return -EINVAL;
}
-asmlinkage int irix_pwrite(int fd, char *buf, int cnt, int off64,
+asmlinkage int irix_pwrite(int fd, char __user *buf, int cnt, int off64,
int off1, int off2)
{
printk("[%s:%d] Wheee.. irix_pwrite(%d,%p,%d,%d,%d,%d)\n",
@@ -1638,7 +1623,7 @@
u32 f_filler[16];
};
-asmlinkage int irix_statvfs64(char *fname, struct irix_statvfs64 *buf)
+asmlinkage int irix_statvfs64(char __user *fname, struct irix_statvfs64 __user
*buf)
{
struct nameidata nd;
struct kstatfs kbuf;
@@ -1646,9 +1631,11 @@
printk("[%s:%d] Wheee.. irix_statvfs64(%s,%p)\n",
current->comm, current->pid, fname, buf);
- error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs64));
- if(error)
+ if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs64))) {
+ error = -EFAULT;
goto out;
+ }
+
error = user_path_walk(fname, &nd);
if (error)
goto out;
@@ -1656,27 +1643,25 @@
if (error)
goto dput_and_out;
- __put_user(kbuf.f_bsize, &buf->f_bsize);
- __put_user(kbuf.f_frsize, &buf->f_frsize);
- __put_user(kbuf.f_blocks, &buf->f_blocks);
- __put_user(kbuf.f_bfree, &buf->f_bfree);
- __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety hack... */
- __put_user(kbuf.f_files, &buf->f_files);
- __put_user(kbuf.f_ffree, &buf->f_ffree);
- __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety hack... */
+ error = __put_user(kbuf.f_bsize, &buf->f_bsize);
+ error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+ error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety
hack... */
+ error |= __put_user(kbuf.f_files, &buf->f_files);
+ error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+ error |= __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety
hack... */
#ifdef __MIPSEB__
- __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
#else
- __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
#endif
for(i = 0; i < 16; i++)
- __put_user(0, &buf->f_basetype[i]);
- __put_user(0, &buf->f_flag);
- __put_user(kbuf.f_namelen, &buf->f_namemax);
+ error |= __put_user(0, &buf->f_basetype[i]);
+ error |= __put_user(0, &buf->f_flag);
+ error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
for(i = 0; i < 32; i++)
- __put_user(0, &buf->f_fstr[i]);
-
- error = 0;
+ error |= __put_user(0, &buf->f_fstr[i]);
dput_and_out:
path_release(&nd);
@@ -1684,7 +1669,7 @@
return error;
}
-asmlinkage int irix_fstatvfs64(int fd, struct irix_statvfs *buf)
+asmlinkage int irix_fstatvfs64(int fd, struct irix_statvfs __user *buf)
{
struct kstatfs kbuf;
struct file *file;
@@ -1693,9 +1678,10 @@
printk("[%s:%d] Wheee.. irix_fstatvfs64(%d,%p)\n",
current->comm, current->pid, fd, buf);
- error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs));
- if (error)
+ if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs))) {
+ error = -EFAULT;
goto out;
+ }
if (!(file = fget(fd))) {
error = -EBADF;
goto out;
@@ -1704,24 +1690,24 @@
if (error)
goto out_f;
- __put_user(kbuf.f_bsize, &buf->f_bsize);
- __put_user(kbuf.f_frsize, &buf->f_frsize);
- __put_user(kbuf.f_blocks, &buf->f_blocks);
- __put_user(kbuf.f_bfree, &buf->f_bfree);
- __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety hack... */
- __put_user(kbuf.f_files, &buf->f_files);
- __put_user(kbuf.f_ffree, &buf->f_ffree);
- __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety hack... */
+ error = __put_user(kbuf.f_bsize, &buf->f_bsize);
+ error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+ error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+ error |= __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety
hack... */
+ error |= __put_user(kbuf.f_files, &buf->f_files);
+ error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+ error |= __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety
hack... */
#ifdef __MIPSEB__
- __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
#else
- __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+ error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
#endif
for(i = 0; i < 16; i++)
- __put_user(0, &buf->f_basetype[i]);
- __put_user(0, &buf->f_flag);
- __put_user(kbuf.f_namelen, &buf->f_namemax);
- __clear_user(buf->f_fstr, sizeof(buf->f_fstr[i]));
+ error |= __put_user(0, &buf->f_basetype[i]);
+ error |= __put_user(0, &buf->f_flag);
+ error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
+ error |= __clear_user(buf->f_fstr, sizeof(buf->f_fstr[i])) ? -EFAULT :
0;
out_f:
fput(file);
@@ -1729,15 +1715,14 @@
return error;
}
-asmlinkage int irix_getmountid(char *fname, unsigned long *midbuf)
+asmlinkage int irix_getmountid(char __user *fname, unsigned long __user
*midbuf)
{
int err;
printk("[%s:%d] irix_getmountid(%s, %p)\n",
current->comm, current->pid, fname, midbuf);
- err = verify_area(VERIFY_WRITE, midbuf, (sizeof(unsigned long) * 4));
- if (err)
- return err;
+ if (!access_ok(VERIFY_WRITE, midbuf, (sizeof(unsigned long) * 4)))
+ return -EFAULT;
/*
* The idea with this system call is that when trying to determine
@@ -1745,7 +1730,7 @@
* fsid of the filesystem to try and make the right decision, but
* we don't have this so for now. XXX
*/
- err |= __put_user(0, &midbuf[0]);
+ err = __put_user(0, &midbuf[0]);
err |= __put_user(0, &midbuf[1]);
err |= __put_user(0, &midbuf[2]);
err |= __put_user(0, &midbuf[3]);
@@ -1772,8 +1757,8 @@
};
struct irix_dirent32_callback {
- struct irix_dirent32 *current_dir;
- struct irix_dirent32 *previous;
+ struct irix_dirent32 __user *current_dir;
+ struct irix_dirent32 __user *previous;
int count;
int error;
};
@@ -1781,13 +1766,13 @@
#define NAME_OFFSET32(de) ((int) ((de)->d_name - (char *) (de)))
#define ROUND_UP32(x) (((x)+sizeof(u32)-1) & ~(sizeof(u32)-1))
-static int irix_filldir32(void *__buf, const char *name, int namlen,
- loff_t offset, ino_t ino, unsigned int d_type)
+static int irix_filldir32(void *__buf, const char *name,
+ int namlen, loff_t offset, ino_t ino, unsigned int d_type)
{
- struct irix_dirent32 *dirent;
- struct irix_dirent32_callback *buf =
- (struct irix_dirent32_callback *)__buf;
+ struct irix_dirent32 __user *dirent;
+ struct irix_dirent32_callback *buf = __buf;
unsigned short reclen = ROUND_UP32(NAME_OFFSET32(dirent) + namlen + 1);
+ int err = 0;
#ifdef DEBUG_GETDENTS
printk("\nirix_filldir32[reclen<%d>namlen<%d>count<%d>]",
@@ -1798,25 +1783,26 @@
return -EINVAL;
dirent = buf->previous;
if (dirent)
- __put_user(offset, &dirent->d_off);
+ err = __put_user(offset, &dirent->d_off);
dirent = buf->current_dir;
- buf->previous = dirent;
- __put_user(ino, &dirent->d_ino);
- __put_user(reclen, &dirent->d_reclen);
- copy_to_user(dirent->d_name, name, namlen);
- __put_user(0, &dirent->d_name[namlen]);
- ((char *) dirent) += reclen;
+ err |= __put_user(dirent, &buf->previous);
+ err |= __put_user(ino, &dirent->d_ino);
+ err |= __put_user(reclen, &dirent->d_reclen);
+ err |= copy_to_user((char __user *)dirent->d_name, name, namlen) ?
-EFAULT : 0;
+ err |= __put_user(0, &dirent->d_name[namlen]);
+ dirent = (struct irix_dirent32 __user *) ((char __user *) dirent +
reclen);
+
buf->current_dir = dirent;
buf->count -= reclen;
- return 0;
+ return err;
}
-asmlinkage int irix_ngetdents(unsigned int fd, void * dirent,
- unsigned int count, int *eob)
+asmlinkage int irix_ngetdents(unsigned int fd, void __user * dirent,
+ unsigned int count, int __user *eob)
{
struct file *file;
- struct irix_dirent32 *lastdirent;
+ struct irix_dirent32 __user *lastdirent;
struct irix_dirent32_callback buf;
int error;
@@ -1829,7 +1815,7 @@
if (!file)
goto out;
- buf.current_dir = (struct irix_dirent32 *) dirent;
+ buf.current_dir = (struct irix_dirent32 __user *) dirent;
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -1869,8 +1855,8 @@
};
struct irix_dirent64_callback {
- struct irix_dirent64 *curr;
- struct irix_dirent64 *previous;
+ struct irix_dirent64 __user *curr;
+ struct irix_dirent64 __user *previous;
int count;
int error;
};
@@ -1878,37 +1864,44 @@
#define NAME_OFFSET64(de) ((int) ((de)->d_name - (char *) (de)))
#define ROUND_UP64(x) (((x)+sizeof(u64)-1) & ~(sizeof(u64)-1))
-static int irix_filldir64(void * __buf, const char * name, int namlen,
- loff_t offset, ino_t ino, unsigned int d_type)
+static int irix_filldir64(void *__buf, const char *name,
+ int namlen, loff_t offset, ino_t ino, unsigned int d_type)
{
- struct irix_dirent64 *dirent;
- struct irix_dirent64_callback * buf =
- (struct irix_dirent64_callback *) __buf;
+ struct irix_dirent64 __user *dirent;
+ struct irix_dirent64_callback * buf = __buf;
unsigned short reclen = ROUND_UP64(NAME_OFFSET64(dirent) + namlen + 1);
+ int err = 0;
- buf->error = -EINVAL; /* only used if we fail.. */
+ if (!access_ok(VERIFY_WRITE, buf, sizeof(*buf)))
+ return -EFAULT;
+
+ if (__put_user(-EINVAL, &buf->error)) /* only used if we fail.. */
+ return -EFAULT;
if (reclen > buf->count)
return -EINVAL;
dirent = buf->previous;
if (dirent)
- __put_user(offset, &dirent->d_off);
+ err = __put_user(offset, &dirent->d_off);
dirent = buf->curr;
buf->previous = dirent;
- __put_user(ino, &dirent->d_ino);
- __put_user(reclen, &dirent->d_reclen);
- __copy_to_user(dirent->d_name, name, namlen);
- __put_user(0, &dirent->d_name[namlen]);
- ((char *) dirent) += reclen;
+ err |= __put_user(ino, &dirent->d_ino);
+ err |= __put_user(reclen, &dirent->d_reclen);
+ err |= __copy_to_user((char __user *)dirent->d_name, name, namlen)
+ ? -EFAULT : 0;
+ err |= __put_user(0, &dirent->d_name[namlen]);
+
+ dirent = (struct irix_dirent64 __user *) ((char __user *) dirent +
reclen);
+
buf->curr = dirent;
buf->count -= reclen;
- return 0;
+ return err;
}
-asmlinkage int irix_getdents64(int fd, void *dirent, int cnt)
+asmlinkage int irix_getdents64(int fd, void __user *dirent, int cnt)
{
struct file *file;
- struct irix_dirent64 *lastdirent;
+ struct irix_dirent64 __user *lastdirent;
struct irix_dirent64_callback buf;
int error;
@@ -1928,7 +1921,7 @@
if (cnt < (sizeof(struct irix_dirent64) + 255))
goto out_f;
- buf.curr = (struct irix_dirent64 *) dirent;
+ buf.curr = (struct irix_dirent64 __user *) dirent;
buf.previous = NULL;
buf.count = cnt;
buf.error = 0;
@@ -1940,7 +1933,8 @@
error = buf.error;
goto out_f;
}
- lastdirent->d_off = (u64) file->f_pos;
+ if (put_user(file->f_pos, &lastdirent->d_off))
+ return -EFAULT;
#ifdef DEBUG_GETDENTS
printk("returning %d\n", cnt - buf.count);
#endif
@@ -1952,10 +1946,10 @@
return error;
}
-asmlinkage int irix_ngetdents64(int fd, void *dirent, int cnt, int *eob)
+asmlinkage int irix_ngetdents64(int fd, void __user *dirent, int cnt, int *eob)
{
struct file *file;
- struct irix_dirent64 *lastdirent;
+ struct irix_dirent64 __user *lastdirent;
struct irix_dirent64_callback buf;
int error;
@@ -1977,7 +1971,7 @@
goto out_f;
*eob = 0;
- buf.curr = (struct irix_dirent64 *) dirent;
+ buf.curr = (struct irix_dirent64 __user *) dirent;
buf.previous = NULL;
buf.count = cnt;
buf.error = 0;
@@ -1989,7 +1983,8 @@
error = buf.error;
goto out_f;
}
- lastdirent->d_off = (u64) file->f_pos;
+ if (put_user(file->f_pos, &lastdirent->d_off))
+ return -EFAULT;
#ifdef DEBUG_GETDENTS
printk("eob=%d returning %d\n", *eob, cnt - buf.count);
#endif
@@ -2052,14 +2047,14 @@
return retval;
}
-asmlinkage int irix_utssys(char *inbuf, int arg, int type, char *outbuf)
+asmlinkage int irix_utssys(char __user *inbuf, int arg, int type, char __user
*outbuf)
{
int retval;
switch(type) {
case 0:
/* uname() */
- retval = irix_uname((struct iuname *)inbuf);
+ retval = irix_uname((struct iuname __user *)inbuf);
goto out;
case 2:
diff -urN linux/arch/mips/kernel/unaligned.c linux/arch/mips/kernel/unaligned.c
--- linux/arch/mips/kernel/unaligned.c 2005/03/01 21:20:47 1.37
+++ linux/arch/mips/kernel/unaligned.c 2005/03/17 21:50:49 1.38
@@ -143,7 +143,7 @@
* The remaining opcodes are the ones that are really of interest.
*/
case lh_op:
- if (verify_area(VERIFY_READ, addr, 2))
+ if (!access_ok(VERIFY_READ, addr, 2))
goto sigbus;
__asm__ __volatile__ (".set\tnoat\n"
@@ -176,7 +176,7 @@
break;
case lw_op:
- if (verify_area(VERIFY_READ, addr, 4))
+ if (!access_ok(VERIFY_READ, addr, 4))
goto sigbus;
__asm__ __volatile__ (
@@ -206,7 +206,7 @@
break;
case lhu_op:
- if (verify_area(VERIFY_READ, addr, 2))
+ if (!access_ok(VERIFY_READ, addr, 2))
goto sigbus;
__asm__ __volatile__ (
@@ -248,7 +248,7 @@
* would blow up, so for now we don't handle unaligned 64-bit
* instructions on 32-bit kernels.
*/
- if (verify_area(VERIFY_READ, addr, 4))
+ if (!access_ok(VERIFY_READ, addr, 4))
goto sigbus;
__asm__ __volatile__ (
@@ -292,7 +292,7 @@
* would blow up, so for now we don't handle unaligned 64-bit
* instructions on 32-bit kernels.
*/
- if (verify_area(VERIFY_READ, addr, 8))
+ if (!access_ok(VERIFY_READ, addr, 8))
goto sigbus;
__asm__ __volatile__ (
@@ -326,7 +326,7 @@
goto sigill;
case sh_op:
- if (verify_area(VERIFY_WRITE, addr, 2))
+ if (!access_ok(VERIFY_WRITE, addr, 2))
goto sigbus;
value = regs->regs[insn.i_format.rt];
@@ -362,7 +362,7 @@
break;
case sw_op:
- if (verify_area(VERIFY_WRITE, addr, 4))
+ if (!access_ok(VERIFY_WRITE, addr, 4))
goto sigbus;
value = regs->regs[insn.i_format.rt];
@@ -400,7 +400,7 @@
* would blow up, so for now we don't handle unaligned 64-bit
* instructions on 32-bit kernels.
*/
- if (verify_area(VERIFY_WRITE, addr, 8))
+ if (!access_ok(VERIFY_WRITE, addr, 8))
goto sigbus;
value = regs->regs[insn.i_format.rt];
diff -urN linux/arch/mips/math-emu/dsemul.c linux/arch/mips/math-emu/dsemul.c
--- linux/arch/mips/math-emu/dsemul.c 2005/02/28 17:55:57 1.6
+++ linux/arch/mips/math-emu/dsemul.c 2005/03/17 21:50:49 1.7
@@ -92,7 +92,7 @@
fr = (struct emuframe *) dsemul_insns;
/* Verify that the stack pointer is not competely insane */
- if (unlikely(verify_area(VERIFY_WRITE, fr, sizeof(struct emuframe))))
+ if (unlikely(!access_ok(VERIFY_WRITE, fr, sizeof(struct emuframe))))
return SIGBUS;
err = __put_user(ir, &fr->emul);
@@ -125,7 +125,7 @@
* If we can't even access the area, something is very wrong, but we'll
* leave that to the default handling
*/
- if (verify_area(VERIFY_READ, fr, sizeof(struct emuframe)))
+ if (!access_ok(VERIFY_READ, fr, sizeof(struct emuframe)))
return 0;
/*
diff -urN linux/arch/mips/mm/cache.c linux/arch/mips/mm/cache.c
--- linux/arch/mips/mm/cache.c 2005/03/08 14:39:39 1.18
+++ linux/arch/mips/mm/cache.c 2005/03/17 21:50:49 1.19
@@ -55,7 +55,7 @@
asmlinkage int sys_cacheflush(unsigned long __user addr,
unsigned long bytes, unsigned int cache)
{
- if (verify_area(VERIFY_WRITE, (void __user *) addr, bytes))
+ if (!access_ok(VERIFY_WRITE, (void __user *) addr, bytes))
return -EFAULT;
flush_icache_range(addr, addr + bytes);
|