diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-20 10:12:48 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-20 10:12:48 -0700 |
commit | c110a2bd82676a8f124cf4dfc39339fd366f0e59 (patch) | |
tree | 3637991fd8b21c22b5083546f67132dbe2dda5a4 /drivers | |
parent | 81b2dbcad86732ffc02bad87aa25c4651199fc77 (diff) | |
parent | 551f4cb9de716ffcdaf968c99a450c22ff12e8c3 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: prevent userspace from accessing shut down devices
ieee1394: sbp2: use correct size of command descriptor block
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/firewire/fw-cdev.c | 14 | ||||
-rw-r--r-- | drivers/ieee1394/sbp2.c | 20 |
2 files changed, 22 insertions, 12 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c index 4a541921a14a..dda14015e873 100644 --- a/drivers/firewire/fw-cdev.c +++ b/drivers/firewire/fw-cdev.c @@ -113,6 +113,11 @@ static int fw_device_op_open(struct inode *inode, struct file *file) if (device == NULL) return -ENODEV; + if (fw_device_is_shutdown(device)) { + fw_device_put(device); + return -ENODEV; + } + client = kzalloc(sizeof(*client), GFP_KERNEL); if (client == NULL) { fw_device_put(device); @@ -901,6 +906,9 @@ fw_device_op_ioctl(struct file *file, { struct client *client = file->private_data; + if (fw_device_is_shutdown(client->device)) + return -ENODEV; + return dispatch_ioctl(client, cmd, (void __user *) arg); } @@ -911,6 +919,9 @@ fw_device_op_compat_ioctl(struct file *file, { struct client *client = file->private_data; + if (fw_device_is_shutdown(client->device)) + return -ENODEV; + return dispatch_ioctl(client, cmd, compat_ptr(arg)); } #endif @@ -922,6 +933,9 @@ static int fw_device_op_mmap(struct file *file, struct vm_area_struct *vma) unsigned long size; int page_count, retval; + if (fw_device_is_shutdown(client->device)) + return -ENODEV; + /* FIXME: We could support multiple buffers, but we don't. */ if (client->buffer.pages != NULL) return -EBUSY; diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c index 16b9d0ad154e..a5ceff287a28 100644 --- a/drivers/ieee1394/sbp2.c +++ b/drivers/ieee1394/sbp2.c @@ -1539,15 +1539,13 @@ static void sbp2_prep_command_orb_sg(struct sbp2_command_orb *orb, static void sbp2_create_command_orb(struct sbp2_lu *lu, struct sbp2_command_info *cmd, - unchar *scsi_cmd, - unsigned int scsi_use_sg, - unsigned int scsi_request_bufflen, - struct scatterlist *sg, - enum dma_data_direction dma_dir) + struct scsi_cmnd *SCpnt) { struct sbp2_fwhost_info *hi = lu->hi; struct sbp2_command_orb *orb = &cmd->command_orb; u32 orb_direction; + unsigned int scsi_request_bufflen = scsi_bufflen(SCpnt); + enum dma_data_direction dma_dir = SCpnt->sc_data_direction; /* * Set-up our command ORB. @@ -1580,13 +1578,14 @@ static void sbp2_create_command_orb(struct sbp2_lu *lu, orb->data_descriptor_lo = 0x0; orb->misc |= ORB_SET_DIRECTION(1); } else - sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_use_sg, sg, + sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_sg_count(SCpnt), + scsi_sglist(SCpnt), orb_direction, dma_dir); sbp2util_cpu_to_be32_buffer(orb, sizeof(*orb)); - memset(orb->cdb, 0, 12); - memcpy(orb->cdb, scsi_cmd, COMMAND_SIZE(*scsi_cmd)); + memset(orb->cdb, 0, sizeof(orb->cdb)); + memcpy(orb->cdb, SCpnt->cmnd, SCpnt->cmd_len); } static void sbp2_link_orb_command(struct sbp2_lu *lu, @@ -1669,16 +1668,13 @@ static void sbp2_link_orb_command(struct sbp2_lu *lu, static int sbp2_send_command(struct sbp2_lu *lu, struct scsi_cmnd *SCpnt, void (*done)(struct scsi_cmnd *)) { - unchar *scsi_cmd = (unchar *)SCpnt->cmnd; struct sbp2_command_info *cmd; cmd = sbp2util_allocate_command_orb(lu, SCpnt, done); if (!cmd) return -EIO; - sbp2_create_command_orb(lu, cmd, scsi_cmd, scsi_sg_count(SCpnt), - scsi_bufflen(SCpnt), scsi_sglist(SCpnt), - SCpnt->sc_data_direction); + sbp2_create_command_orb(lu, cmd, SCpnt); sbp2_link_orb_command(lu, cmd); return 0; |