linux/include
Arnd Bergmann 287e6611ab libata: fix HDIO_GET_32BIT ioctl
As reported by Soohoon Lee, the HDIO_GET_32BIT ioctl does not
work correctly in compat mode with libata.

I have investigated the issue further and found multiple problems
that all appeared with the same commit that originally introduced
HDIO_GET_32BIT handling in libata back in linux-2.6.8 and presumably
also linux-2.4, as the code uses "copy_to_user(arg, &val, 1)" to copy
a 'long' variable containing either 0 or 1 to user space.

The problems with this are:

* On big-endian machines, this will always write a zero because it
  stores the wrong byte into user space.

* In compat mode, the upper three bytes of the variable are updated
  by the compat_hdio_ioctl() function, but they now contain
  uninitialized stack data.

* The hdparm tool calling this ioctl uses a 'static long' variable
  to store the result. This means at least the upper bytes are
  initialized to zero, but calling another ioctl like HDIO_GET_MULTCOUNT
  would fill them with data that remains stale when the low byte
  is overwritten. Fortunately libata doesn't implement any of the
  affected ioctl commands, so this would only happen when we query
  both an IDE and an ATA device in the same command such as
  "hdparm -N -c /dev/hda /dev/sda"

* The libata code for unknown reasons started using ATA_IOC_GET_IO32
  and ATA_IOC_SET_IO32 as aliases for HDIO_GET_32BIT and HDIO_SET_32BIT,
  while the ioctl commands that were added later use the normal
  HDIO_* names. This is harmless but rather confusing.

This addresses all four issues by changing the code to use put_user()
on an 'unsigned long' variable in HDIO_GET_32BIT, like the IDE subsystem
does, and by clarifying the names of the ioctl commands.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Soohoon Lee <Soohoon.Lee@f5.com>
Tested-by: Soohoon Lee <Soohoon.Lee@f5.com>
Cc: stable@vger.kernel.org
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-02-11 10:07:18 -05:00
..
acpi Merge branches 'acpica', 'acpi-video' and 'acpi-fan' 2016-01-21 00:41:59 +01:00
asm-generic Merge branch 'akpm' (patches from Andrew) 2016-01-21 12:32:08 -08:00
clocksource
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-01-22 11:58:43 -08:00
drm Merge tag 'topic/drm-misc-2016-01-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:01:16 +10:00
dt-bindings ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
keys Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next 2015-12-26 16:06:53 +11:00
kvm
linux libata: fix HDIO_GET_32BIT ioctl 2016-02-11 10:07:18 -05:00
math-emu
media [media] media-entitiy: add a function to create multiple links 2016-01-11 12:19:26 -02:00
memory
misc
net net: drop tcp_memcontrol.c 2016-01-20 17:09:18 -08:00
pcmcia
ras
rdma IB/mlx4: Enable send of RoCE QP1 packets with IP/UDP headers 2016-01-19 15:35:01 -05:00
rxrpc
scsi Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
soc ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
sound ALSA: timer: Introduce disconnect op to snd_timer_instance 2016-01-21 17:51:42 +01:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-01-20 17:20:53 -08:00
trace Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
uapi Some locking and page fault bug fixes from Jan Kara, some ext4 2016-01-22 11:23:35 -08:00
video omapdss: remove CONFIG_OMAP2_DSS_VENC from omapdss.h 2015-12-29 11:07:46 +02:00
xen Merge branch 'for-4.5/drivers' of git://git.kernel.dk/linux-block 2016-01-21 18:19:38 -08:00
Kbuild