Attachment #28203 for bug #65318

View | Details | Raw Unified | Return to bug 65318
Collapse All | Expand All




	if (!(file->f_mode & FMODE_READ))
		goto out;
	pos = merge_64(a4, a5);
	ret = rw_verify_area(READ, file, &pos, count);
				file, pos, count);
	if (ret)
		goto out;
	ret = -EINVAL;

	if (!(file->f_mode & FMODE_WRITE))
		goto out;
	pos = merge_64(a4, a5);
	ret = rw_verify_area(WRITE, file, &pos, count);
				file, pos, count);
	if (ret)
		goto out;
	ret = -EINVAL;




	int seg;
	io_fn_t fn;
	iov_fn_t fnv;
	struct inode *inode;

	/*
	 * SuS says "The readv() function *may* fail if the iovcnt argument

		goto out;
	}

	ret = rw_verify_area(type, file, pos, tot_len);
	/* VERIFY_WRITE actually means a read, as we write to user space */
	ret = locks_verify_area((type == READ
				 ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
				inode, file, *pos, tot_len);
	if (ret)
		goto out;


Lines 1011-1017 Link Here

(-)a/fs/locks.c (-1 / +1 lines)
1011	* @count: length of area to check	1011	* @count: length of area to check
1012	*	1012	*
1013	* Searches the inode's list of locks to find any POSIX locks which conflict.	1013	* Searches the inode's list of locks to find any POSIX locks which conflict.
1014	* This function is called from locks_verify_area() and	1014	* This function is called from rw_verify_area() and
1015	* locks_verify_truncate().	1015	* locks_verify_truncate().
1016	*/	1016	*/
1017	int locks_mandatory_area(int read_write, struct inode *inode,	1017	int locks_mandatory_area(int read_write, struct inode *inode,

Lines 182-187 Link Here

(-)a/fs/read_write.c (-12 / +15 lines)
182	}	182	}
183	#endif	183	#endif
184		184
		185
		186	int rw_verify_area(int read_write, struct file file, loff_t ppos, size_t count)
		187	{
		188	struct inode *inode = file->f_dentry->d_inode;
		189
		190	if (inode->i_flock && MANDATORY_LOCK(inode))
		191	return locks_mandatory_area(read_write == READ ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE, inode, file, *ppos, count);
		192	return 0;
		193	}
		194
185	ssize_t do_sync_read(struct file filp, char __user buf, size_t len, loff_t *ppos)	195	ssize_t do_sync_read(struct file filp, char __user buf, size_t len, loff_t *ppos)
186	{	196	{
187	struct kiocb kiocb;	197	struct kiocb kiocb;
Lines 200-206 Link Here
200		210
201	ssize_t vfs_read(struct file file, char __user buf, size_t count, loff_t *pos)	211	ssize_t vfs_read(struct file file, char __user buf, size_t count, loff_t *pos)
202	{	212	{
203	struct inode *inode = file->f_dentry->d_inode;
204	ssize_t ret;	213	ssize_t ret;
205		214
206	if (!(file->f_mode & FMODE_READ))	215	if (!(file->f_mode & FMODE_READ))
Lines 208-214 Link Here
208	if (!file->f_op \|\| (!file->f_op->read && !file->f_op->aio_read))	217	if (!file->f_op \|\| (!file->f_op->read && !file->f_op->aio_read))
209	return -EINVAL;	218	return -EINVAL;
210		219
211	ret = locks_verify_area(FLOCK_VERIFY_READ, inode, file, *pos, count);	220	ret = rw_verify_area(READ, file, pos, count);
212	if (!ret) {	221	if (!ret) {
213	ret = security_file_permission (file, MAY_READ);	222	ret = security_file_permission (file, MAY_READ);
214	if (!ret) {	223	if (!ret) {
Lines 247-253 Link Here
247		256
248	ssize_t vfs_write(struct file file, const char __user buf, size_t count, loff_t *pos)	257	ssize_t vfs_write(struct file file, const char __user buf, size_t count, loff_t *pos)
249	{	258	{
250	struct inode *inode = file->f_dentry->d_inode;
251	ssize_t ret;	259	ssize_t ret;
252		260
253	if (!(file->f_mode & FMODE_WRITE))	261	if (!(file->f_mode & FMODE_WRITE))
Lines 255-261 Link Here
255	if (!file->f_op \|\| (!file->f_op->write && !file->f_op->aio_write))	263	if (!file->f_op \|\| (!file->f_op->write && !file->f_op->aio_write))
256	return -EINVAL;	264	return -EINVAL;
257		265
258	ret = locks_verify_area(FLOCK_VERIFY_WRITE, inode, file, *pos, count);	266	ret = rw_verify_area(WRITE, file, pos, count);
259	if (!ret) {	267	if (!ret) {
260	ret = security_file_permission (file, MAY_WRITE);	268	ret = security_file_permission (file, MAY_WRITE);
261	if (!ret) {	269	if (!ret) {
Lines 399-405 Link Here
399	int seg;	407	int seg;
400	io_fn_t fn;	408	io_fn_t fn;
401	iov_fn_t fnv;	409	iov_fn_t fnv;
402	struct inode *inode;
403		410
404	/*	411	/*
405	* SuS says "The readv() function may fail if the iovcnt argument	412	* SuS says "The readv() function may fail if the iovcnt argument
Lines 452-462 Link Here
452	goto out;	459	goto out;
453	}	460	}
454		461
455	inode = file->f_dentry->d_inode;	462	ret = rw_verify_area(type, file, pos, tot_len);
456	/* VERIFY_WRITE actually means a read, as we write to user space */
457	ret = locks_verify_area((type == READ
458	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
459	inode, file, *pos, tot_len);
460	if (ret)	463	if (ret)
461	goto out;	464	goto out;
462		465
Lines 603-609 Link Here
603	else	606	else
604	if (!(in_file->f_mode & FMODE_PREAD))	607	if (!(in_file->f_mode & FMODE_PREAD))
605	goto fput_in;	608	goto fput_in;
606	retval = locks_verify_area(FLOCK_VERIFY_READ, in_inode, in_file, *ppos, count);	609	retval = rw_verify_area(READ, in_file, ppos, count);
607	if (retval)	610	if (retval)
608	goto fput_in;	611	goto fput_in;
609		612
Lines 624-630 Link Here
624	if (!out_file->f_op \|\| !out_file->f_op->sendpage)	627	if (!out_file->f_op \|\| !out_file->f_op->sendpage)
625	goto fput_out;	628	goto fput_out;
626	out_inode = out_file->f_dentry->d_inode;	629	out_inode = out_file->f_dentry->d_inode;
627	retval = locks_verify_area(FLOCK_VERIFY_WRITE, out_inode, out_file, out_file->f_pos, count);	630	retval = rw_verify_area(WRITE, out_file, &out_file->f_pos, count);
628	if (retval)	631	if (retval)
629	goto fput_out;	632	goto fput_out;
630		633




	return 0;
}

extern int rw_verify_area(int, struct file *, loff_t *, size_t);
				    struct file *filp, loff_t offset,
				    size_t count)
{
	if (inode->i_flock && MANDATORY_LOCK(inode))
		return locks_mandatory_area(read_write, inode, filp, offset, count);
	return 0;
}

static inline int locks_verify_truncate(struct inode *inode,
				    struct file *filp,

Return to bug 65318

Lines 468-475 Link Here

(-)a/arch/mips/kernel/linux32.c (-4 / +2 lines)
468	if (!(file->f_mode & FMODE_READ))	468	if (!(file->f_mode & FMODE_READ))
469	goto out;	469	goto out;
470	pos = merge_64(a4, a5);	470	pos = merge_64(a4, a5);
471	ret = locks_verify_area(FLOCK_VERIFY_READ, file->f_dentry->d_inode,	471	ret = rw_verify_area(READ, file, &pos, count);
472	file, pos, count);
473	if (ret)	472	if (ret)
474	goto out;	473	goto out;
475	ret = -EINVAL;	474	ret = -EINVAL;
Lines 504-511 Link Here
504	if (!(file->f_mode & FMODE_WRITE))	503	if (!(file->f_mode & FMODE_WRITE))
505	goto out;	504	goto out;
506	pos = merge_64(a4, a5);	505	pos = merge_64(a4, a5);
507	ret = locks_verify_area(FLOCK_VERIFY_WRITE, file->f_dentry->d_inode,	506	ret = rw_verify_area(WRITE, file, &pos, count);
508	file, pos, count);
509	if (ret)	507	if (ret)
510	goto out;	508	goto out;
511	ret = -EINVAL;	509	ret = -EINVAL;

Lines 1126-1132 Link Here

(-)a/fs/compat.c (-6 / +1 lines)
1126	int seg;	1126	int seg;
1127	io_fn_t fn;	1127	io_fn_t fn;
1128	iov_fn_t fnv;	1128	iov_fn_t fnv;
1129	struct inode *inode;
1130		1129
1131	/*	1130	/*
1132	* SuS says "The readv() function may fail if the iovcnt argument	1131	* SuS says "The readv() function may fail if the iovcnt argument
Lines 1191-1201 Link Here
1191	goto out;	1190	goto out;
1192	}	1191	}
1193		1192
1194	inode = file->f_dentry->d_inode;	1193	ret = rw_verify_area(type, file, pos, tot_len);
1195	/* VERIFY_WRITE actually means a read, as we write to user space */
1196	ret = locks_verify_area((type == READ
1197	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),
1198	inode, file, *pos, tot_len);
1199	if (ret)	1194	if (ret)
1200	goto out;	1195	goto out;
1201		1196

Lines 1222-1235 Link Here

(-)a/include/linux/fs.h (-8 / +1 lines)
1222	return 0;	1222	return 0;
1223	}	1223	}
1224		1224
1225	static inline int locks_verify_area(int read_write, struct inode *inode,	1225	extern int rw_verify_area(int, struct file , loff_t , size_t);
1226	struct file *filp, loff_t offset,
1227	size_t count)
1228	{
1229	if (inode->i_flock && MANDATORY_LOCK(inode))
1230	return locks_mandatory_area(read_write, inode, filp, offset, count);
1231	return 0;
1232	}
1233		1226
1234	static inline int locks_verify_truncate(struct inode *inode,	1227	static inline int locks_verify_truncate(struct inode *inode,
1235	struct file *filp,	1228	struct file *filp,