[PATCH][RFC] ibm_newemac and SIOCGMIIREG

Arnd Bergmann arnd at arndb.de
Fri Jun 11 00:31:29 EST 2010


On Thursday 10 June 2010, Steven A. Falco wrote:
> I believe there is a bug in the way the ibm_newemac driver handles the
> SIOCGMIIREG (and SIOCSMIIREG) ioctl.  The problem is that emac_ioctl
> is handed a "struct ifreq *rq" which contains a user-land pointer to
> an array of 16-bit integers.

Did you actually see a bug here, or just think that this could be
a problem?

> However, emac_ioctl directly accesses the data, which doesn't work.
> I added the following patch to copy the data in and out.
> 
> Please note that this patch was tested in an older kernel (2.6.30)
> because that is what we are using on our custom hardware.  I think
> this is still a problem in the current code, but I'd like reviewers
> to take a look, to be sure.

The ifreq structure passed into the ndo_ioctl function is in kernel
space, it gets copied there by net/core/dev.c:dev_ioctl().
emac_ioctl only accesses the data in that structure, so a copy_from_user
is wrong here as far as I can tell.

	Arnd


More information about the Linuxppc-dev mailing list