linux/drivers/char
Stephen Tweedie 68f66feb30 [PATCH] Fix root hole in raw device
[Patch] Fix raw device ioctl pass-through

Raw character devices are supposed to pass ioctls through to the block
devices they are bound to.  Unfortunately, they are using the wrong
function for this: ioctl_by_bdev(), instead of blkdev_ioctl().

ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl,
redirecting the user-space buffer access to the kernel address space.
This is, needless to say, a bad thing.

This was noticed first on s390, where raw IO was non-functioning.  The
s390 driver config does not actually allow raw IO to be enabled, which
was the first part of the problem.  Secondly, the s390 kernel address
space is distinct from user, causing legal raw ioctls to fail.  I've
reproduced this on a kernel built with 4G:4G split on x86, which fails
in the same way (-EFAULT if the address does not exist kernel-side;
returns success without actually populating the user buffer if it does.)

The patch below fixes both the config and address-space problems.  It's
based closely on a patch by Jan Glauber <jang@de.ibm.com>, which has
been tested on s390 at IBM.  I've tested it on x86 4G:4G (split address
space) and x86_64 (common address space).

Kernel-address-space access has been assigned CAN-2005-1264.

Signed-off-by: Stephen Tweedie <sct@redhat.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2005-05-16 21:07:21 -07:00
..
agp [PATCH] make lots of things static 2005-05-01 08:59:29 -07:00
drm [PATCH] r128_state.c: break missing in switch statement 2005-04-16 15:24:04 -07:00
ftape Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ip2 Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ipmi [PATCH] ipmi iomem annotations and fixes 2005-05-04 07:33:15 -07:00
mwave Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
pcmcia Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
rio [PATCH] make lots of things static 2005-05-01 08:59:29 -07:00
tpm [PATCH] tpm 64bit fixes (size_t) 2005-04-26 07:43:41 -07:00
watchdog Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
amiserial.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
applicom.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
applicom.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
cd1865.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ChangeLog Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
consolemap.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
cp437.uni Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
cyclades.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
decserial.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
defkeymap.c_shipped Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
defkeymap.map Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
digi1.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
digi.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
digiFep1.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
digiPCI.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ds1286.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ds1302.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ds1620.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
dsp56k.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
dtlk.c [PATCH] misc verify_area cleanups 2005-05-01 08:59:08 -07:00
ec3104_keyb.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
efirtc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
epca.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
epca.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
epcaconfig.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
esp.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
generic_nvram.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
generic_serial.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
genrtc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
hangcheck-timer.c [PATCH] hangcheck-timer: Update to 0.9.0. 2005-05-01 08:59:08 -07:00
hpet.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
hvc_console.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
hvcs.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
hvsi.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
hw_random.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
i8k.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ip2.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ip2main.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ip27-rtc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
isicom.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
istallion.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ite_gpio.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Kconfig Automatic merge of rsync://rsync.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6.git 2005-05-04 19:52:45 -07:00
keyboard.c [PATCH] make some things static 2005-05-05 16:36:47 -07:00
lcd.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
lcd.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
lp.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Makefile [IA64] Altix system controller event handling 2005-04-25 13:28:52 -07:00
mbcs.c [PATCH] mbcs trivial user annotations 2005-05-04 07:33:13 -07:00
mbcs.h [PATCH] mbcs trivial user annotations 2005-05-04 07:33:13 -07:00
mem.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
misc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
mmtimer.c [PATCH] mmtimer build fix 2005-04-16 15:23:53 -07:00
moxa.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
mxser.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
mxser.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
n_hdlc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
n_r3964.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
n_tty.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
nvram.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
nwbutton.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
nwbutton.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
nwflash.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ppdev.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
pty.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
qtronix.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
qtronixmap.c_shipped Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
qtronixmap.map Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
random.c [PATCH] update maintainer for /dev/random 2005-04-16 15:25:56 -07:00
raw.c [PATCH] Fix root hole in raw device 2005-05-16 21:07:21 -07:00
riscom8_reg.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
riscom8.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
riscom8.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
rocket_int.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
rocket.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
rocket.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
rtc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
s3c2410-rtc.c [PATCH] ARM: RTC: allow driver methods to return error 2005-04-30 12:19:28 +01:00
scan_keyb.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
scan_keyb.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
scc.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
scx200_gpio.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
selection.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ser_a2232.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ser_a2232.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ser_a2232fw.ax Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ser_a2232fw.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
serial167.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
snsc_event.c [IA64-SGI] snsc_event.c new file 2005-04-25 13:29:46 -07:00
snsc.c [IA64] Altix system controller event handling 2005-04-25 13:28:52 -07:00
snsc.h [IA64] Altix system controller event handling 2005-04-25 13:28:52 -07:00
sonypi.c [PATCH] sonypi trivial user annotations 2005-05-04 07:33:14 -07:00
specialix_io8.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
specialix.c [PATCH] misc verify_area cleanups 2005-05-01 08:59:08 -07:00
stallion.c [PATCH] make lots of things static 2005-05-01 08:59:29 -07:00
sx.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sx.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sxboards.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sxwindow.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
synclink.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
synclinkmp.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sysrq.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
tb0219.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
tipar.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
toshiba.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
tty_io.c [PATCH] uninline tty_paranoia_check() 2005-05-05 16:36:42 -07:00
tty_ioctl.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vc_screen.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
viocons.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
viotape.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vme_scc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vr41xx_rtc.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vt_ioctl.c [PATCH] convert that currently tests _NSIG directly to use valid_signal() 2005-05-01 08:59:14 -07:00
vt.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00