• Arnd Bergmann's avatar
    libata: fix HDIO_GET_32BIT ioctl · 0e46000f
    Arnd Bergmann authored
    BugLink: http://bugs.launchpad.net/bugs/1555640
    
    commit 287e6611 upstream.
    
    As reported by Soohoon Lee, the HDIO_GET_32BIT ioctl does not
    work correctly in compat mode with libata.
    
    I have investigated the issue further and found multiple problems
    that all appeared with the same commit that originally introduced
    HDIO_GET_32BIT handling in libata back in linux-2.6.8 and presumably
    also linux-2.4, as the code uses "copy_to_user(arg, &val, 1)" to copy
    a 'long' variable containing either 0 or 1 to user space.
    
    The problems with this are:
    
    * On big-endian machines, this will always write a zero because it
      stores the wrong byte into user space.
    
    * In compat mode, the upper three bytes of the variable are updated
      by the compat_hdio_ioctl() function, but they now contain
      uninitialized stack data.
    
    * The hdparm tool calling this ioctl uses a 'static long' variable
      to store the result. This means at least the upper bytes are
      initialized to zero, but calling another ioctl like HDIO_GET_MULTCOUNT
      would fill them with data that remains stale when the low byte
      is overwritten. Fortunately libata doesn't implement any of the
      affected ioctl commands, so this would only happen when we query
      both an IDE and an ATA device in the same command such as
      "hdparm -N -c /dev/hda /dev/sda"
    
    * The libata code for unknown reasons started using ATA_IOC_GET_IO32
      and ATA_IOC_SET_IO32 as aliases for HDIO_GET_32BIT and HDIO_SET_32BIT,
      while the ioctl commands that were added later use the normal
      HDIO_* names. This is harmless but rather confusing.
    
    This addresses all four issues by changing the code to use put_user()
    on an 'unsigned long' variable in HDIO_GET_32BIT, like the IDE subsystem
    does, and by clarifying the names of the ioctl commands.
    Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
    Reported-by: default avatarSoohoon Lee <Soohoon.Lee@f5.com>
    Tested-by: default avatarSoohoon Lee <Soohoon.Lee@f5.com>
    Signed-off-by: default avatarTejun Heo <tj@kernel.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
    0e46000f
libata-scsi.c 107 KB