From: Linus Torvalds Date: Sun, 25 Jun 2006 00:47:09 +0000 (-0700) Subject: Revert "[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer" X-Git-Tag: firefly_0821_release~35449 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=83626b01275d0228516b4d97da008328fc37c934;p=firefly-linux-kernel-4.4.55.git Revert "[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer" This reverts commit 786dc1d3d7333f269e17d742886eac2188a2d9cc. As Al so eloquently points out, the patch is crap. The old code was fine, the new code was bogus. It never dereferenced a user pointer, the "->" operator was to an array member, which gives the _address_ of the member (in user space), not an actual dereference at all. Signed-off-by: Linus Torvalds --- diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 3f8e06279c92..bcbeaf7101d1 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1078,9 +1078,7 @@ static int proc_submiturb(struct dev_state *ps, void __user *arg) if (copy_from_user(&uurb, arg, sizeof(uurb))) return -EFAULT; - return proc_do_submiturb(ps, &uurb, - (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, - arg); + return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg); } static int proc_unlinkurb(struct dev_state *ps, void __user *arg) @@ -1205,9 +1203,7 @@ static int proc_submiturb_compat(struct dev_state *ps, void __user *arg) if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg)) return -EFAULT; - return proc_do_submiturb(ps, &uurb, - (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, - arg); + return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg); } static int processcompl_compat(struct async *as, void __user * __user *arg)