To: linux-m68k@lists.linux-m68k.org Subject: L68K: copy_to_user in amiflop.c X-Yow: .. Once upon a time, four AMPHIBIOUS HOG CALLERS attacked a family of DEFENSELESS, SENSITIVE COIN COLLECTORS and brought DOWN their PROPERTY VALUES!! From: Andreas Schwab Date: 28 Jan 1998 10:52:44 +0100 Sender: owner-linux-m68k@phil.uni-sb.de This came up in linux-kernel: the use of copy_to_user is broken in amiflop.c. This function does *not* return an error code, but the number of bytes left _un_copied. On the other hand, put_user does return an appropriate error code. This patch may not be against the latest version of amiflop.c because i didn't follow all patches here. Andreas. --- drivers/block/amiflop.c.~2~ Thu Jan 15 00:49:47 1998 +++ drivers/block/amiflop.c Tue Jan 27 18:10:24 1998 @@ -1523,9 +1523,9 @@ loc.sectors = unit[drive].sects; loc.cylinders = unit[drive].type->tracks; loc.start = 0; - if ((error = copy_to_user((void *)param, (void *)&loc, - sizeof(struct hd_geometry)))) - return error; + if (copy_to_user((void *)param, (void *)&loc, + sizeof(struct hd_geometry)))) + return -EFAULT; break; } case FDFMTBEG: @@ -1578,15 +1578,13 @@ getprm.head=unit[drive].type->heads; getprm.sect=unit[drive].sects; getprm.size=unit[drive].blocks; - if ((error = copy_to_user((void *)param, - (void *)&getprm, - sizeof(struct floppy_struct)))) - return error; + if (copy_to_user((void *)param, + (void *)&getprm, + sizeof(struct floppy_struct)))) + return -EFAULT; break; case BLKGETSIZE: - if (put_user(unit[drive].blocks,(long *)param)) - return -EFAULT; - break; + return put_user(unit[drive].blocks,(long *)param); case FDSETPRM: case FDDEFPRM: return -EINVAL; @@ -1603,10 +1601,9 @@ break; #ifdef RAW_IOCTL case IOCTL_RAW_TRACK: - error = copy_to_user((void *)param, raw_buf, - unit[drive].type->read_size); - if (error) - return error; + if (copy_to_user((void *)param, raw_buf, + unit[drive].type->read_size)) + return -EFAULT; else return unit[drive].type->read_size; #endif