|
Lines 220-225
Link Here
|
| 220 |
return -EBADF; |
220 |
return -EBADF; |
| 221 |
if (!file->f_op || (!file->f_op->read && !file->f_op->aio_read)) |
221 |
if (!file->f_op || (!file->f_op->read && !file->f_op->aio_read)) |
| 222 |
return -EINVAL; |
222 |
return -EINVAL; |
|
|
223 |
if (unlikely(!access_ok(VERIFY_WRITE, buf, count))) |
| 224 |
return -EFAULT; |
| 223 |
|
225 |
|
| 224 |
ret = rw_verify_area(READ, file, pos, count); |
226 |
ret = rw_verify_area(READ, file, pos, count); |
| 225 |
if (!ret) { |
227 |
if (!ret) { |
|
Lines 266-271
Link Here
|
| 266 |
return -EBADF; |
268 |
return -EBADF; |
| 267 |
if (!file->f_op || (!file->f_op->write && !file->f_op->aio_write)) |
269 |
if (!file->f_op || (!file->f_op->write && !file->f_op->aio_write)) |
| 268 |
return -EINVAL; |
270 |
return -EINVAL; |
|
|
271 |
if (unlikely(!access_ok(VERIFY_READ, buf, count))) |
| 272 |
return -EFAULT; |
| 269 |
|
273 |
|
| 270 |
ret = rw_verify_area(WRITE, file, pos, count); |
274 |
ret = rw_verify_area(WRITE, file, pos, count); |
| 271 |
if (!ret) { |
275 |
if (!ret) { |
|
Lines 397-402
Link Here
|
| 397 |
|
401 |
|
| 398 |
EXPORT_SYMBOL(iov_shorten); |
402 |
EXPORT_SYMBOL(iov_shorten); |
| 399 |
|
403 |
|
|
|
404 |
/* A write operation does a read from user space and vice versa */ |
| 405 |
#define vrfy_dir(type) ((type) == READ ? VERIFY_WRITE : VERIFY_READ) |
| 406 |
|
| 400 |
static ssize_t do_readv_writev(int type, struct file *file, |
407 |
static ssize_t do_readv_writev(int type, struct file *file, |
| 401 |
const struct iovec __user * uvector, |
408 |
const struct iovec __user * uvector, |
| 402 |
unsigned long nr_segs, loff_t *pos) |
409 |
unsigned long nr_segs, loff_t *pos) |
|
Lines 450-457
Link Here
|
| 450 |
tot_len = 0; |
457 |
tot_len = 0; |
| 451 |
ret = -EINVAL; |
458 |
ret = -EINVAL; |
| 452 |
for (seg = 0; seg < nr_segs; seg++) { |
459 |
for (seg = 0; seg < nr_segs; seg++) { |
|
|
460 |
void __user *buf = iov[seg].iov_base; |
| 453 |
ssize_t len = (ssize_t)iov[seg].iov_len; |
461 |
ssize_t len = (ssize_t)iov[seg].iov_len; |
| 454 |
|
462 |
|
|
|
463 |
if (unlikely(!access_ok(vrfy_dir(type), buf, len))) |
| 464 |
goto Efault; |
| 455 |
if (len < 0) /* size_t not fitting an ssize_t .. */ |
465 |
if (len < 0) /* size_t not fitting an ssize_t .. */ |
| 456 |
goto out; |
466 |
goto out; |
| 457 |
tot_len += len; |
467 |
tot_len += len; |
|
Lines 510-515
Link Here
|
| 510 |
dnotify_parent(file->f_dentry, |
520 |
dnotify_parent(file->f_dentry, |
| 511 |
(type == READ) ? DN_ACCESS : DN_MODIFY); |
521 |
(type == READ) ? DN_ACCESS : DN_MODIFY); |
| 512 |
return ret; |
522 |
return ret; |
|
|
523 |
Efault: |
| 524 |
ret = -EFAULT; |
| 525 |
goto out; |
| 513 |
} |
526 |
} |
| 514 |
|
527 |
|
| 515 |
ssize_t vfs_readv(struct file *file, const struct iovec __user *vec, |
528 |
ssize_t vfs_readv(struct file *file, const struct iovec __user *vec, |