From: Peter Osterlund Date: Sat, 14 May 2005 07:58:30 +0000 (-0700) Subject: [PATCH] Fix root hole in pktcdvd X-Git-Tag: firefly_0821_release~42753^2~270 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=118326e940bdecef6c459d42ccf05256ba86daa7;p=firefly-linux-kernel-4.4.55.git [PATCH] Fix root hole in pktcdvd ioctl_by_bdev may only be used INSIDE the kernel. If the "arg" argument refers to memory that is accessed by put_user/get_user in the ioctl function, the memory needs to be in the kernel address space (that's the set_fs(KERNEL_DS) doing in the ioctl_by_bdev). This works on i386 because even with set_fs(KERNEL_DS) the user space memory is still accessible with put_user/get_user. That is not true for s390. In short the ioctl implementation of the pktcdvd device driver is horribly broken. Signed-off-by: Peter Osterlund Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c index 1a1fa3ccb913..82ccad0a7f1a 100644 --- a/drivers/block/pktcdvd.c +++ b/drivers/block/pktcdvd.c @@ -2406,7 +2406,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u case CDROM_LAST_WRITTEN: case CDROM_SEND_PACKET: case SCSI_IOCTL_SEND_COMMAND: - return ioctl_by_bdev(pd->bdev, cmd, arg); + return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); case CDROMEJECT: /* @@ -2414,7 +2414,7 @@ static int pkt_ioctl(struct inode *inode, struct file *file, unsigned int cmd, u * have to unlock it or else the eject command fails. */ pkt_lock_door(pd, 0); - return ioctl_by_bdev(pd->bdev, cmd, arg); + return blkdev_ioctl(pd->bdev->bd_inode, file, cmd, arg); default: printk("pktcdvd: Unknown ioctl for %s (%x)\n", pd->name, cmd);