Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 118326e9 authored by Peter Osterlund's avatar Peter Osterlund Committed by Greg Kroah-Hartman
Browse files

[PATCH] Fix root hole in pktcdvd 



ioctl_by_bdev may only be used INSIDE the kernel.  If the "arg" argument
refers to memory that is accessed by put_user/get_user in the ioctl
function, the memory needs to be in the kernel address space (that's the
set_fs(KERNEL_DS) doing in the ioctl_by_bdev).  This works on i386 because
even with set_fs(KERNEL_DS) the user space memory is still accessible with
put_user/get_user.  That is not true for s390.  In short the ioctl
implementation of the pktcdvd device driver is horribly broken.

Signed-off-by: default avatarPeter Osterlund <petero2@telia.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 68f66feb

drivers/block/pktcdvd.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -2406,7 +2406,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u 
	case CDROM_LAST_WRITTEN:

	case CDROM_LAST_WRITTEN:

	case CDROM_SEND_PACKET:

	case CDROM_SEND_PACKET:

	case SCSI_IOCTL_SEND_COMMAND:

	case SCSI_IOCTL_SEND_COMMAND:

		return ioctl_by_bdev(pd->bdev, cmd, arg);

		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);





	case CDROMEJECT:

	case CDROMEJECT:

		/*

		/*
@@ -2414,7 +2414,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u 
		 * have to unlock it or else the eject command fails.

		 * have to unlock it or else the eject command fails.

		 */

		 */

		pkt_lock_door(pd, 0);

		pkt_lock_door(pd, 0);

		return ioctl_by_bdev(pd->bdev, cmd, arg);

		return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg);





	default:

	default:

		printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);

		printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);