As struct iw_point is bi-directional payload, we should copy back the content

on return from ioctl calls Signed-off-by: Masakazu Mokuno <mokuno@sm.sony.co.jp> Signed-off-by: John W. Linville <linville@tuxdriver.com>

As struct iw_point is bi-directional payload, we should copy back the content
on return from ioctl calls Signed-off-by: Masakazu Mokuno <mokuno@sm.sony.co.jp> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Masakazu Mokuno · John W. Linville
1 parent 3f7086978f
Showing 1 changed file with 18 additions and 4 deletions Side-by-side Diff
fs/compat_ioctl.c
@@ -2311,8 +2311,10 @@
 	struct iwreq __user *iwr_u;
 	struct iw_point __user *iwp;
 	struct compat_iw_point __user *iwp_u;
-	compat_caddr_t pointer;
+	compat_caddr_t pointer_u;
+	void __user *pointer;
 	__u16 length, flags;
+	int ret;
  
 	iwr_u = compat_ptr(arg);
 	iwp_u = (struct compat_iw_point __user *) &iwr_u->u.data;
  
  
@@ -2330,17 +2332,29 @@
 			   sizeof(iwr->ifr_ifrn.ifrn_name)))
 		return -EFAULT;
  
-	if (__get_user(pointer, &iwp_u->pointer) ||
+	if (__get_user(pointer_u, &iwp_u->pointer) ||
 	    __get_user(length, &iwp_u->length) ||
 	    __get_user(flags, &iwp_u->flags))
 		return -EFAULT;
  
-	if (__put_user(compat_ptr(pointer), &iwp->pointer) ||
+	if (__put_user(compat_ptr(pointer_u), &iwp->pointer) ||
 	    __put_user(length, &iwp->length) ||
 	    __put_user(flags, &iwp->flags))
 		return -EFAULT;
  
-	return sys_ioctl(fd, cmd, (unsigned long) iwr);
+	ret = sys_ioctl(fd, cmd, (unsigned long) iwr);
+
+	if (__get_user(pointer, &iwp->pointer) ||
+	    __get_user(length, &iwp->length) ||
+	    __get_user(flags, &iwp->flags))
+		return -EFAULT;
+
+	if (__put_user(ptr_to_compat(pointer), &iwp_u->pointer) ||
+	    __put_user(length, &iwp_u->length) ||
+	    __put_user(flags, &iwp_u->flags))
+		return -EFAULT;
+
+	return ret;
 }
  
 /* Since old style bridge ioctl's endup using SIOCDEVPRIVATE
...	...	@@ -2311,8 +2311,10 @@
2311	2311	struct iwreq __user *iwr_u;
2312	2312	struct iw_point __user *iwp;
2313	2313	struct compat_iw_point __user *iwp_u;
2314		- compat_caddr_t pointer;
	2314	+ compat_caddr_t pointer_u;
	2315	+ void __user *pointer;
2315	2316	__u16 length, flags;
	2317	+ int ret;
2316	2318
2317	2319	iwr_u = compat_ptr(arg);
2318	2320	iwp_u = (struct compat_iw_point __user *) &iwr_u->u.data;
2319	2321
2320	2322
...	...	@@ -2330,17 +2332,29 @@
2330	2332	sizeof(iwr->ifr_ifrn.ifrn_name)))
2331	2333	return -EFAULT;
2332	2334
2333		- if (__get_user(pointer, &iwp_u->pointer) \|\|
	2335	+ if (__get_user(pointer_u, &iwp_u->pointer) \|\|
2334	2336	__get_user(length, &iwp_u->length) \|\|
2335	2337	__get_user(flags, &iwp_u->flags))
2336	2338	return -EFAULT;
2337	2339
2338		- if (__put_user(compat_ptr(pointer), &iwp->pointer) \|\|
	2340	+ if (__put_user(compat_ptr(pointer_u), &iwp->pointer) \|\|
2339	2341	__put_user(length, &iwp->length) \|\|
2340	2342	__put_user(flags, &iwp->flags))
2341	2343	return -EFAULT;
2342	2344
2343		- return sys_ioctl(fd, cmd, (unsigned long) iwr);
	2345	+ ret = sys_ioctl(fd, cmd, (unsigned long) iwr);
	2346	+
	2347	+ if (__get_user(pointer, &iwp->pointer) \|\|
	2348	+ __get_user(length, &iwp->length) \|\|
	2349	+ __get_user(flags, &iwp->flags))
	2350	+ return -EFAULT;
	2351	+
	2352	+ if (__put_user(ptr_to_compat(pointer), &iwp_u->pointer) \|\|
	2353	+ __put_user(length, &iwp_u->length) \|\|
	2354	+ __put_user(flags, &iwp_u->flags))
	2355	+ return -EFAULT;
	2356	+
	2357	+ return ret;
2344	2358	}
2345	2359
2346	2360	/* Since old style bridge ioctl's endup using SIOCDEVPRIVATE