[PATCH RFC] staging: comedi: fix user/kernel space access of cmd->chanlist
Ian Abbott
abbotti at mev.co.uk
Tue Sep 18 09:24:55 UTC 2012
On 2012-09-18 01:17, H Hartley Sweeten wrote:
> The 'chanlist' in the comedi_cmd struct is an unsigned int __user
> pointer.
>
> The do_cmd_ioctl() and do_cmdtest_ioctl() functions in comedi_fops
> do a copy_from_user() to move the data from user space to kernel
> space before passing the comedi_cmd to the comedi drivers.
>
> Unfortunately, the drivers then think 'chanlist' is still a
> __user pointer since thats how the struct is defined.
>
> Make the 'chanlist' a union of both a __user and kernel pointer.
> The do_cmd_*_ioctl() functions are the only ones that use the
> __user pointer. All the drivers then use the kernel pointer to
> access the chanlist.
Personally, I'd rather get rid of the __user pointers in comedi.h and do
the appropriate casting in the comedi core.
(I came up with a macro a while ago to make the casting less ugly, but I
need to test that with `sparse` to make sure it doesn't get confused.)
--
-=( Ian Abbott @ MEV Ltd. E-mail: <abbotti at mev.co.uk> )=-
-=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-
More information about the devel
mailing list