1. 29 Apr, 2017 1 commit
  2. 24 Dec, 2016 1 commit
  3. 24 Sep, 2016 1 commit
  4. 28 Jun, 2016 1 commit
  5. 08 Feb, 2016 1 commit
  6. 27 Jan, 2016 1 commit
  7. 09 Jan, 2016 4 commits
    • Al Viro's avatar
      nbd: use ->compat_ioctl() · 263a3df1
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      263a3df1
    • Jann Horn's avatar
      compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS) · a7f61e89
      Jann Horn authored
      This replaces all code in fs/compat_ioctl.c that translated
      ioctl arguments into a in-kernel structure, then performed
      do_ioctl under set_fs(KERNEL_DS), with code that allocates
      data on the user stack and can call the VFS ioctl handler
      under USER_DS.
      
      This is done as a hardening measure because the caller
      does not know what kind of ioctl handler will be invoked,
      only that no corresponding compat_ioctl handler exists and
      what the ioctl command number is. The accidental
      invocation of an unlocked_ioctl handler that unexpectedly
      calls copy_to_user could be a severe security issue.
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a7f61e89
    • Al Viro's avatar
      66cf191f
    • Jann Horn's avatar
      compat_ioctl: don't look up the fd twice · b4341721
      Jann Horn authored
      In code in fs/compat_ioctl.c that translates ioctl arguments
      into a in-kernel structure, then performs sys_ioctl, possibly
      under set_fs(KERNEL_DS), this commit changes the sys_ioctl
      calls to do_ioctl calls. do_ioctl is a new function that does
      the same thing as sys_ioctl, but doesn't look up the fd again.
      
      This change is made to avoid (potential) security issues
      because of ioctl handlers that accept one of the ioctl
      commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
      TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
      This can happen for multiple reasons:
      
       - The ioctl command number could be reused.
       - The ioctl handler might not check the full ioctl
         command. This is e.g. true for drm_ioctl.
       - The ioctl handler is very special, e.g. cuse_file_ioctl
      
      The real issue is that set_fs(KERNEL_DS) is used here,
      but that's fixed in a separate commit
      "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
      
      This change mitigates potential security issues by
      preventing a race that permits invocation of
      unlocked_ioctl handlers under KERNEL_DS through compat
      code even if a corresponding compat_ioctl handler exists.
      
      So far, no way has been identified to use this to damage
      kernel memory without having CAP_SYS_ADMIN in the init ns
      (with the capability, doing reads/writes at arbitrary
      kernel addresses should be easy through CUSE's ioctl
      handler with FUSE_IOCTL_UNRESTRICTED set).
      
      [AV: two missed sys_ioctl() taken care of]
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b4341721
  8. 01 Jan, 2016 2 commits
  9. 23 Oct, 2015 1 commit
  10. 09 Jul, 2015 1 commit
  11. 03 Apr, 2015 1 commit
    • Grzegorz Kolodziejczyk's avatar
      Bluetooth: bnep: Add support for get bnep features via ioctl · 0477e2e8
      Grzegorz Kolodziejczyk authored
      This is needed if user space wants to know supported bnep features
      by kernel, e.g. if kernel supports sending response to bnep setup
      control message. By now there is no possibility to know supported
      features by kernel in case of bnep. Ioctls allows only to add connection,
      delete connection, get connection list, get connection info. Adding
      connection if it's possible (establishing network device connection) is
      equivalent to starting bnep session. Bnep session handles data queue of
      transmit, receive messages over bnep channel. It means that if we add
      connection the received/transmitted data will be parsed immediately. In
      case of get bnep features we want to know before session start, if we
      should leave setup data on socket queue and let kernel to handle with it,
      or in case of no setup handling support, if we should pull this message
      and handle setup response within user space.
      Signed-off-by: default avatarGrzegorz Kolodziejczyk <grzegorz.kolodziejczyk@tieto.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      0477e2e8
  12. 11 Jul, 2014 1 commit
  13. 06 Mar, 2014 1 commit
    • Heiko Carstens's avatar
      fs/compat: convert to COMPAT_SYSCALL_DEFINE with changing parameter types · 932602e2
      Heiko Carstens authored
      Some fs compat system calls have unsigned long parameters instead of
      compat_ulong_t.
      In order to allow the COMPAT_SYSCALL_DEFINE macro generate code that
      performs proper zero and sign extension convert all 64 bit parameters
      their corresponding 32 bit counterparts.
      
      compat_sys_io_getevents() is a bit different: the non-compat version
      has signed parameters for the "min_nr" and "nr" parameters while the
      compat version has unsigned parameters.
      So change this as well. For all practical purposes this shouldn't make
      any difference (doesn't fix a real bug).
      Also introduce a generic compat_aio_context_t type which can be used
      everywhere.
      The access_ok() check within compat_sys_io_getevents() got also removed
      since the non-compat sys_io_getevents() should be able to handle
      everything anyway.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      932602e2
  14. 22 Jan, 2014 1 commit
  15. 25 Oct, 2013 1 commit
  16. 29 Jun, 2013 1 commit
  17. 04 May, 2013 1 commit
  18. 23 Feb, 2013 1 commit
  19. 25 Oct, 2012 2 commits
  20. 27 Sep, 2012 1 commit
  21. 25 Sep, 2012 1 commit
  22. 21 Sep, 2012 1 commit
  23. 05 Sep, 2012 1 commit
  24. 05 Mar, 2012 1 commit
  25. 29 Feb, 2012 1 commit
  26. 05 Jan, 2012 1 commit
    • Linus Torvalds's avatar
      vfs: fix up ENOIOCTLCMD error handling · 07d106d0
      Linus Torvalds authored
      We're doing some odd things there, which already messes up various users
      (see the net/socket.c code that this removes), and it was going to add
      yet more crud to the block layer because of the incorrect error code
      translation.
      
      ENOIOCTLCMD is not an error return that should be returned to user mode
      from the "ioctl()" system call, but it should *not* be translated as
      EINVAL ("Invalid argument").  It should be translated as ENOTTY
      ("Inappropriate ioctl for device").
      
      That EINVAL confusion has apparently so permeated some code that the
      block layer actually checks for it, which is sad.  We continue to do so
      for now, but add a big comment about how wrong that is, and we should
      remove it entirely eventually.  In the meantime, this tries to keep the
      changes localized to just the EINVAL -> ENOTTY fix, and removing code
      that makes it harder to do the right thing.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      07d106d0
  27. 31 Dec, 2011 1 commit
    • Mauro Carvalho Chehab's avatar
      [media] fs/compat_ioctl: it needs to see the DVBv3 compat stuff · e97a5d89
      Mauro Carvalho Chehab authored
      Only the ioctl core should see the DVBv3 compat stuff, as its
      contents are not available anymore to the drivers.
      
      As fs/compat_ioctl also handles DVBv3 ioctl's, it needs those
      definitions:
      
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: array type has incomplete element type
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: array type has incomplete element type
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: array type has incomplete element type
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1345: error: initializer element is not constant
          fs/compat_ioctl.c:1345: error: (near initialization for ‘ioctl_pointer[462]’)
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: array type has incomplete element type
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: array type has incomplete element type
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: array type has incomplete element type
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_parameters’
          fs/compat_ioctl.c:1346: error: initializer element is not constant
          fs/compat_ioctl.c:1346: error: (near initialization for ‘ioctl_pointer[463]’)
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: array type has incomplete element type
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: array type has incomplete element type
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: array type has incomplete element type
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: invalid application of ‘sizeof’ to incomplete type ‘struct dvb_frontend_event’
          fs/compat_ioctl.c:1347: error: initializer element is not constant
          fs/compat_ioctl.c:1347: error: (near initialization for ‘ioctl_pointer[464]’)
      Reported-by: default avatarMichael Krufky <mkrufky@linuxtv.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
      e97a5d89
  28. 08 Aug, 2011 1 commit
  29. 01 Jul, 2011 1 commit
    • Johannes Stezenbach's avatar
      compat_ioctl: fix warning caused by qemu · 390192b3
      Johannes Stezenbach authored
      On Linux x86_64 host with 32bit userspace, running
      qemu or even just "qemu-img create -f qcow2 some.img 1G"
      causes a kernel warning:
      
      ioctl32(qemu-img:5296): Unknown cmd fd(3) cmd(00005326){t:'S';sz:0} arg(7fffffff) on some.img
      ioctl32(qemu-img:5296): Unknown cmd fd(3) cmd(801c0204){t:02;sz:28} arg(fff77350) on some.img
      
      ioctl 00005326 is CDROM_DRIVE_STATUS,
      ioctl 801c0204 is FDGETPRM.
      
      The warning appears because the Linux compat-ioctl handler for these
      ioctls only applies to block devices, while qemu also uses the ioctls on
      plain files.
      Signed-off-by: default avatarJohannes Stezenbach <js@sig21.net>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJens Axboe <jaxboe@fusionio.com>
      390192b3
  30. 31 Jan, 2011 2 commits
    • Greg Kroah-Hartman's avatar
      Revert "appletalk: move to staging" · 0ffbf8bf
      Greg Kroah-Hartman authored
      This reverts commit a6238f21
      
      Appletalk got some patches to fix up the BLK usage in it in the
      network tree, so this removal isn't needed.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: <acme@ghostprotocols.net>
      Cc: netdev@vger.kernel.org,
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0ffbf8bf
    • Arnd Bergmann's avatar
      appletalk: move to staging · a6238f21
      Arnd Bergmann authored
      For all I know, Appletalk is dead, the only reasonable
      use right now would be nostalgia, and that can be served
      well enough by old kernels. The code is largely not
      in a bad shape, but it still uses the big kernel lock,
      and nobody seems motivated to change that.
      
      FWIW, the last release of MacOS that supported Appletalk
      was MacOS X 10.5, made in 2007, and it has been abandoned
      by Apple with 10.6. Using TCP/IP instead of Appletalk has
      been supported since MacOS 7.6, which was released in
      1997 and is able to run on most of the legacy hardware.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      a6238f21
  31. 29 Dec, 2010 1 commit
  32. 17 Dec, 2010 1 commit
  33. 17 Nov, 2010 1 commit
  34. 19 Oct, 2010 1 commit
    • Al Viro's avatar
      fix rawctl compat ioctls breakage on amd64 and itanic · c4a04727
      Al Viro authored
      RAW_SETBIND and RAW_GETBIND 32bit versions are fscked in interesting ways.
      
      1) fs/compat_ioctl.c has COMPATIBLE_IOCTL(RAW_SETBIND) followed by
      HANDLE_IOCTL(RAW_SETBIND, raw_ioctl).  The latter is ignored.
      
      2) on amd64 (and itanic) the damn thing is broken - we have int + u64 + u64
      and layouts on i386 and amd64 are _not_ the same.  raw_ioctl() would
      work there, but it's never called due to (1).  As it is, i386 /sbin/raw
      definitely doesn't work on amd64 boxen.
      
      3) switching to raw_ioctl() as is would *not* work on e.g. sparc64 and ppc64,
      which would be rather sad, seeing that normal userland there is 32bit.
      The thing is, slapping __packed on the struct in question does not DTRT -
      it eliminates *all* padding.  The real solution is to use compat_u64.
      
      4) of course, all that stuff has no business being outside of raw.c in the
      first place - there should be ->compat_ioctl() for /dev/rawctl instead of
      messing with compat_ioctl.c.
      
      [akpm@linux-foundation.org: coding-style fixes]
      [arnd@arndb.de: port to 2.6.36]
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      c4a04727