wan/farsync: copy_from_user() to iomem is wrong
kmalloc intermediate buffer(), do copy_from_user() + memcpy_toio()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
index cf27bf4..547368e 100644
--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -2024,6 +2024,7 @@
struct fstioc_write wrthdr;
struct fstioc_info info;
unsigned long flags;
+ void *buf;
dbg(DBG_IOCTL, "ioctl: %x, %p\n", cmd, ifr->ifr_data);
@@ -2065,16 +2066,22 @@
return -ENXIO;
}
- /* Now copy the data to the card.
- * This will probably break on some architectures.
- * I'll fix it when I have something to test on.
- */
- if (copy_from_user(card->mem + wrthdr.offset,
+ /* Now copy the data to the card. */
+
+ buf = kmalloc(wrthdr.size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ if (copy_from_user(buf,
ifr->ifr_data + sizeof (struct fstioc_write),
wrthdr.size)) {
+ kfree(buf);
return -EFAULT;
}
+ memcpy_toio(card->mem + wrthdr.offset, buf, wrthdr.size);
+ kfree(buf);
+
/* Writes to the memory of a card in the reset state constitute
* a download
*/