lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 19 Feb 2016 16:13:50 +0000
From:	Ian Abbott <abbotti@....co.uk>
To:	devel@...verdev.osuosl.org
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Ian Abbott <abbotti@....co.uk>,
	H Hartley Sweeten <hsweeten@...ionengravers.com>,
	linux-kernel@...r.kernel.org
Subject: [PATCH 1/8] staging: comedi: COMEDI_BUFINFO: get amount freed, not amount allocated

The `COMEDI_BUFINFO` ioctl is used to advance the current position in
the buffer by a specified amount (which can be 0) and get the new
position.  On input, the `bytes_read` member of `struct comedi_bufinfo`
specifies the amount to advance the "read" position for an asynchronous
command in the "read" direction, and the `bytes_written` member
specifies the amount to advance the "write" position for a command in
the "write" direction.  The handler `do_bufinfo_ioctl()` may limit the
specified values according to amount of readable or writable space in
the buffer.  On output, the `struct comedi_bufinfo` is filled in with
the updated position information, along with the adjusted `bytes_read`
and `bytes_written` members.

Advancing the buffer position occurs in two steps: first, some buffer
space is allocated, and second, it is freed, advancing the current
"read" or "write" position.  Currently, `do_bufinfo_ioctl()` limits
`bytes_read` or `bytes_written` to the amount it could allocate in the
first step, but that is invisible and irrelevant to the ioctl user.
It's mostly irrelevant to the COMEDI internals as well, apart from
limiting how much can be freed in the second step.  Change it to ignore
how much it managed to allocate in the first step and just use the
amount that was actually freed in the second step, which is the amount
the current buffer position was actually moved by this ioctl call.

Signed-off-by: Ian Abbott <abbotti@....co.uk>
---
 drivers/staging/comedi/comedi_fops.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index d57fade..2cfb61e 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1142,8 +1142,8 @@ static int do_bufinfo_ioctl(struct comedi_device *dev,
 		return -EACCES;
 
 	if (bi.bytes_read && !(async->cmd.flags & CMDF_WRITE)) {
-		bi.bytes_read = comedi_buf_read_alloc(s, bi.bytes_read);
-		comedi_buf_read_free(s, bi.bytes_read);
+		comedi_buf_read_alloc(s, bi.bytes_read);
+		bi.bytes_read = comedi_buf_read_free(s, bi.bytes_read);
 
 		if (comedi_is_subdevice_idle(s) &&
 		    comedi_buf_read_n_available(s) == 0) {
@@ -1152,9 +1152,8 @@ static int do_bufinfo_ioctl(struct comedi_device *dev,
 	}
 
 	if (bi.bytes_written && (async->cmd.flags & CMDF_WRITE)) {
-		bi.bytes_written =
-		    comedi_buf_write_alloc(s, bi.bytes_written);
-		comedi_buf_write_free(s, bi.bytes_written);
+		comedi_buf_write_alloc(s, bi.bytes_written);
+		bi.bytes_written = comedi_buf_write_free(s, bi.bytes_written);
 	}
 
 copyback_position:
-- 
2.7.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ